[HN Gopher] NPM Is Joining GitHub ___________________________________________________________________ NPM Is Joining GitHub Author : mholt Score : 1205 points Date : 2020-03-16 17:01 UTC (5 hours ago) (HTM) web link (github.blog) (TXT) w3m dump (github.blog) | rtsao wrote: | I hope this doesn't alter the current GitHub npm package registry | policy where all packages _must_ be published under a scope | corresponding to name of the owning GitHub user /org. The | resulting increased transparency and clarity of ownership will be | great for the JS ecosystem. | | The existing npm ownership model is markedly less clear and has | led to several problems, including the transfer of package | publishing rights to bad actors without anyone being aware. On | the whole, npm accounts and orgs were always just an unnecessary | abstraction that obscured the actual provenance of software, of | which GitHub is the de facto source. | ocdtrekkie wrote: | I think this is the big reason I'm excited about NPM joining | GitHub. I don't trust NPM (I'm not fond of package repos in | general), but tying packages closely to their GitHub source | offers significantly more verification potential that a package | is in fact comprised of the source code for it, and that it | hasn't recently turned hostile. | clarkbw wrote: | Yes thank you! We believe namespaces are a good thing and will | continue to promote it as best practice. | | Hopefully we can integrate repository information to packages | meta data such that you could be aware of a change of ownership | even for a globally namespaced package. | toastal wrote: | Does this mean using alternatives (GitLab, et. al) is not an | option? | | The worst option has been Elm's system where the whole package | system requires you to not only use GitHub, but when GitHub in | down (which isn't uncommon unfortunately) packages that weren't | cached locally were inaccessible with no mirroring options. | thunderbong wrote: | Ok, everyone seems to be beating up on Microsoft per the top | comment here. | | I have a counter point - | | Does anyone ever think what would happen if Microsoft were to | disappear tomorrow? How would you get your drivers license? How | would you process your mortgage? How would you go about buying | tickets for anything? How would you get your groceries and food? | | Are we expecting everyone to run Linux? Or shall we say, Ubuntu? | Or was it Mint? Can we decide on a specific desktop OS? Can we? | Can we pick up a USB wifi dongle or connect a printer and expect | it to work? Are you frikkin kidding me? We'd be running around | like chickens with their heads cut off. | | Get over it, all of you. Frikkin grow up. We've had the thirty | years since Linux came on the scene. And what have we done? | You'll say - "we've got the server market". Sure. And what is | that? Ubuntu, right? Give me a break. If it wasn't for Mark | Shuttleworth, even that wouldn't have been there. | | We want to be kids. We want to play with our toys in our corner | of the room throughout our lives and we want others to clothe and | feed us for free. That's what we want. We want to share, but | don't want others to make money off it. And what happens? A big | corporate comes around giving everything away for free, and we | all grab it with both our hands. And 15 years later, we cry that | the corporate has gone evil. | | We keep complaining about Microsoft on Hacker News, typing on | Apples and iPhones and Androids. Are you all delusional? Are you | all blind? There is NOTHING free in this world, including | lunches. | | People pay for things that will work together seamlessly, that | takes the least effort to work with. Why? Because software, | programs, operating systems are not the end of the world, life | is. There are more important things in life that tabs or spaces, | or carriage returns and line feeds. | | And the only way that can happen, when someone says I'll give $X | for Y and you give him Y, rather than twiddling around with Z. | | I've had battles with Microsoft by way of IE. I've also battled | with Linux. Major battles. But the battles I've had with | Microsoft, I got paid for. The battles with Linux? Well, maybe I | got music playing on my laptop. Only on mine, mind you! | | I think it's time we admitted to ourselves, that we can't decide | on anything collectively. I think it's time we stopped being | cranky, demanding, tantrum throwing children. We'll all die soon | and everyone will be paying for software as a service and we'll | all be old farts talking about the good old days, when we could | download a program, modify it and run it only on our system. | | I'm tired of all your hangups. Holding on to decade old grudges. | Dreaming about the glorious future of software that just might | have existed if everyone had just the same idea as you. | | Grow up, open your eyes, get a life. Stop being so self-centered | and churlish. Stop trying to see flaws everywhere except | yourself. Stop trying to complain about open source everywhere | and see that all kinds of software need to exist. | | Go out. Do good for someone. Get paid for it. Come back home. | Enjoy dinner with your family. Get a good night's sleep. | talawahtech wrote: | Ok now Microsoft just needs to acquire what remains of Docker and | their Developers, Developers, Developers, Developers collection | will be complete. | nojvek wrote: | Github announced the Github packages feature a while back, but | without npm it didn't quite make sense. Acquiring npm means | github not only hosts source code, but packages as well. With | Github Actions, they want to be the one stop shop for code | lifecycle and be at the forefront of javascript ecosystem. | | If developers love Github, they love the cloud. Microsoft is | betting big on the cloud, they lost the Mobile war but they | definitely want to be the developer and cloud darlings. | nathcd wrote: | <tangent> | | Sometimes I wonder what the business world (and the internet) | would be like if mergers and acquisitions weren't allowed. Like, | if businesses had to be sustainable or they'd just die, rather | than capturing a whole market while eating VC money, maybe we'd | all be better off? All of the really embarrassing stuff coming | out of SV would just go away? Just Pinboards and Sourcehuts and | Mastodons ruling the web? | | I'm capitalistically illiterate, so somebody please tell me why | this thought is stupid. | cortesoft wrote: | What would happen to all the tech, equipment, and employees | after the company goes out of business? We have to burn it? | | If we did that, it would be a crazy waste of resources. The | alternative is to let another company buy the stuff... and if a | company buys the failed company's tech, equipment, and hires | their staff... that is basically the same as buying the | company. | nathcd wrote: | I mean, what would normally happen is employees look for new | jobs, equipment is sold, and tech is thrown away (or open | sourced in rare cases). Doesn't this already happen all the | time? | worik wrote: | Perhaps they will do the right thing and shut it down | throwaway78359 wrote: | Microsoftie here -- throwaway for obvious reasons. | | Microsoft doesn't do everything right but the GitHub acquisition | has honestly gone better than I ever expected. Rather than | forcing GitHub to adopt Microsoft centric policies, Microsoft has | adopted more GitHub stuff, especially from a product POV. GitHub | still runs as a separate company (different logins and health | care and hiring systems) with its own policies and point of view. | | The reality is npm was in a bad place and in a land of not good | options, this strikes me as the best possibility. I'd rather have | GitHub control this and be able to give the resources to npm than | a company like Oracle or Amazon or even Google or Facebook to own | it. In a perfect world, some independent entity could fund npm | out of gratitude but at the same time, consider how poorly npm as | a company was run for YEARS and the general lack of direction. | | So yeah, I'm cautiously optimistic this won't be fucked up by | GitHub -- but I understand the concern. | | As for those worried about Microsoft embracing, extending, and | extinguishing. Lol. Even if that was the goal (and I truly don't | think that's the ethos at all any more), Microsoft is laughably | incompetent at achieving that sort of strategy. Google and Amazon | have the EEE under lock right now (Facebook too -- let's be glad | Zuck didn't buy this after we saw what happened to yarn), but | Microsoft can't even put coherent dev strategy outside of .NET on | Azure. | manigandham wrote: | What's wrong with Microsoft's dev strategy? .NET continues to | be the most powerful and productive platform that I've used. | | .NET Core was a great move and it's all coming together nicely | now, and even creating innovations like Blazor. | judge2020 wrote: | I think the poster was saying that .NET has a dev strategy, | but other projects don't. | | > Microsoft can't even put coherent dev strategy _outside of_ | .NET on Azure | skrebbel wrote: | > after we saw what happened to yarn | | I missed something, what happened to Yarn? | purplerabbit wrote: | Second this. It still seems to be working fine... (actually, | better than npm last I checked) | pkilgore wrote: | The maintainer released Yarn 2. Yarn 2 is pretty | foundationaly different than Yarn 1, and can and does break a | lot of products/projects if used. Some folks are not happy | about it, although Yarn 1 will probably continue to be | maintained by the community for a while. | | This seems to be pretty fair about the whole thing: | https://shift.infinite.red/yarn-1-vs-yarn-2-vs- | npm-a69ccf022... | cjbassi wrote: | Note that yarn is also no longer under the control of | Facebook and the primary maintainer who has been developing | yarn 2 no longer works there. | | https://yarnpkg.com/advanced/qa#is-yarn-operated-by- | facebook | mizzao wrote: | > Google and Amazon have the EEE under lock right now | | what is EEE? | boramalper wrote: | Embrace, Extend, and Extinguish: | | > "Embrace, extend, and extinguish" (EEE), also known as | "embrace, extend, and exterminate",is a phrase that the U.S. | Department of Justice found was used internally by Microsoft | to describe its strategy for entering product categories | involving widely used standards, extending those standards | with proprietary capabilities, and then using those | differences in order to strongly disadvantage its | competitors. | | https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis. | .. | prawnsalad wrote: | Embrace, extend, and extinguish | | https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis. | .. | sandov wrote: | "Github acquires npm" would be a better title IMO. | kdaigle wrote: | Today we've announced that we've signed an agreement to acquire | NPM but we technically have not acquired them yet (referred to | as "closed"). NPM is still their own company for now and that's | why the language is future tense. | TheKarateKid wrote: | Then saying "GitHub is acquiring NPM" would've been a more | accurate way to say this. | sandov wrote: | "Github is acquiring npm" then. "NPM is joining Github" | sounds like you're just using Github to host your stuff. | Conan_Kudo wrote: | Using the "is joining" phrasing is a classic way to try to | spin an acquisition as some kind of partnership. 99% of the | time, it's definitely _not_. | rdiddly wrote: | I literally thought that, clicked _hide_ , then thought | "Wait a minute, do they mean...?" and had to go fish it out | of hidden items. | | "Joining" is an interesting term here... but I suppose it | won because it sounds more like something friendly humans | would do. "NPM Is Breaking Bread and Sharing with Github as | Special Friends." | hinkley wrote: | I am glad that the npm team will finally have some adult | supervision. | | Meanwhile, I _almost_ have my team switched to yarn. | SahAssar wrote: | NPM is a lot more than the CLI. Even if you use yarn as the | CLI you are still using npm for hosting and all the other | parts that don't run on your computer. You can run your own | npm repo, but hardly anyone does for all their dependencies | (not talking about just caching here). | | I'd wager most people who use yarn even installed it via the | npm CLI. | hinkley wrote: | I mean yes, but no, but yes. For one, a lot of companies | end up using Artifactory or similar, so npm is the source | of truth but not the source of tarballs. | | Didn't GitHub set up their own npm registry recently? Shots | have been fired in this regard. Which, now that I type that | out, makes me kinda wonder how amicable this purchase | was... | | It'd be such a shame if something bad were to happen to | your lovely repository... | Normal_gaussian wrote: | yarn v1+ or yarn v2/berry? | | Switching to berry has been a huge PITA over here, but I | don't want to give up workspaces | hinkley wrote: | > yarn v2/berry? | | I had still been following 1.x | | Looking at https://yarnpkg.com/advanced/migration : T-T | | We have so many little modules from different teams, or | even borderline abandonware, that it would take ages to | make these changes, and 'yarn node'?? Just... no. How is | that ever gonna work consistently with node_modules/.bin? | | At this point my choices are, start contributing to yarn | _and_ npm development, or get my ass in gear on learning | Elixir and Rust. I have been wondering for maybe 18 months | if I might be 'done with Node'. I think I've had it | backward this whole time. Node may in fact be done with | _me_. | hinkley wrote: | Our 'workspace' is so ornate that yarn couldn't handle it. | 1.21+ almost looks right, but something very bad is still | going on with mocha deduping, such that tests are failing | with really bizarre error messages. | | I check yarn about every three months, or when I find a | new, infuriating bug with the npm CLI (so, every couple of | months on average). I think npm install suffers greatly | from not having a formal spec. It has been bugfixed by so | many different individuals now that it has reached a truly | astounding level of schizophrenia. | | If yarn didn't exist, I would have started trying to break | down the install problem into many independent concerns | that can be reasoned about individually and tried to | solicit help in making a full installer out of it. If I'd | known I'd still be trying to make yarn workspaces work for | us 18 months later I probably would have. | | Node modules in general have some bad patterns of | delegation that are utterly antagonistic to self- | documentation, and both yarn and npm seem to suffer from | this as well. I think in the next week or so I'm going to | have to set up a small test case that exhibits the yarn bug | I'm seeing, or any of the half a dozen interlocking | (emphasis on 'lock') npm bugs that now have me painted into | a very tiny corner. | madeofpalk wrote: | I suspect you're still using the npm repository though? | That's the actual 'valuable' thing that NPM (the company) | makes. | ProAm wrote: | "Microsoft acquires npm" | Verdex wrote: | Yeah, I was confused when I first heard of it because it seems | like an odd couple to "join" one another. However, it makes | perfect sense for github to purchase npm. | goofballlogic wrote: | A sad day I think. I wish more independent ecosystems were | evolving, instead of consolidating. | bjt2n3904 wrote: | You know, my initial reaction was... oh no, the toxic people who | run NPM and Node.js[1][2] are going to infect GitHub. | | But then I read that other front page article about the guy that | got mysteriously "flagged", and the invasive questions he was | asked. Maybe Github is already too far gone. | | Maybe it should be... please, bundle all the toxic people | together in one spot, and let it all come crashing to the ground. | I've had serious reservations about using Node.js in a product | I've been tasked to work on, for the reasons I listed below. It'd | be great if they just... ceased to exist. | | 1 - left-pad incedent | | 2 - The Ayo fork drama | rattray wrote: | Wishing ill on others or their projects ("it'd be great if they | ceased to exist") does not reduce toxicity. | jrimbault wrote: | Interesting transitive ownership/dependencies here. | simlevesque wrote: | I did not see that coming. I trust Microsoft to be able to offer | great availability and nice software. It is maybe not the best | overlord we could have hoped for but it's way better than the | status quo. | okareaman wrote: | I'd like to see Microsoft bring Ryan Dahl (original author of | node) back in the fold by sponsoring/buying Deno with TypeScript. | It's a good fit. | dubcanada wrote: | Wait, so is it joining Microsoft? Or is it under Github, which is | under Microsoft? | | I don't fully understand the way it's governed from this article. | clarkbw wrote: | Part of GitHub (I work at GitHub and lead the Packages team) | cmckn wrote: | How does this acquisition relate to Package's support of npm | artifacts? Or, I guess, how will Package's npm support change | after this? | clarkbw wrote: | The post covers this. | | > Later this year, we will enable npm's paying customers to | move their private npm packages to GitHub Packages-- | allowing npm to exclusively focus on being a great public | registry for JavaScript. | | Packages will continue to develop its npm registry. We have | a lot of work to do in securing the software supply chain. | mceachen wrote: | Can I be so bold as to suggest a new feature? | | It'd be wonderful, as a package consumer, to have visibility | into some security metrics for a given package. This would be | useful both at initial install time, and when the package is | upgraded. Something like: | | 1) who are the latest commits GPG signed by? | | 2) is the package publisher using 2FA? | | 3) what is the security profile of all dependent packages? | | 4) are there any new authors (directly or via dependencies) | since the last version (with links to the author and their | contributions). | | These might help avoid prior situations where popular | packages get injected with malware by new maintainers. | clarkbw wrote: | Yes, we (internally) call this a "Bill of Health" and | believe that all packages should have this kind of diff- | able information available. Understanding what's happening | at the source level is key to being able to trust any | package published. | mceachen wrote: | NICE! It would be wonderful to expose that information! | | Somewhat related, I believe NPM pulled in (or co-opted) | some of the heuristics from this: | https://github.com/npms-io/npms-analyzer (but those don't | seem to include any of the aspects I suggested above). | csours wrote: | Slightly OT: Is Packages coming to Azure DevOps Server | (local/corporate hosted)? | Brendinooo wrote: | I occasionally forget that Microsoft bought GitHub. They | certainly don't do anything here to remind me of that fact. | | How separate from MS has GitHub been in day-to-day operations? | [deleted] | reilly3000 wrote: | I can't speak to company internals, but I do know that Azure is | powering GitHub Actions runners, and there have been a firehose | of new features coming out of GitHub in the past year. I | imagine its pretty core to their "Developers Developers | Developers" strategy. | owenwil wrote: | GitHub employees have access to Microsoft internal tools and a | Microsoft email address, so I don't think there's too much | internal firewalling. | kdaigle wrote: | I've been at GitHub for 7 years and we operate independently | but have the support and resources of Microsoft when we need | them. IMO, they've been amazing partners but day to day the | GitHub team builds, prioritizes, and supports GitHub. | nojvek wrote: | It's totally the smart thing to do. Github needs a ton of | cloud compute with github actions, Azure powers it. Github | brings a very strong brand that developers love, which gives | Microsoft a good rep amongst technical folks. | | This is as good as Google acquiring Youtube because Youtube | needs an insane amount bandwidth and it was a perfect fit for | Google's infrastructure and ad platform. | | It's just sad to see Google not playing the Developers game | well. | bengale wrote: | Do you think they're going to try and push us towards azure | more, or force us into using Microsoft logins? | batmansmk wrote: | VsCode, Typescript, Github, NPM. | | And Microsoft doesn't even have to maintain the main runtime, | Google does. What a clever strategy! | Scarbutt wrote: | and Edgeium. | BiteCode_dev wrote: | Yes, they almost own the entire JS ecosystem at this point. | | They lost a decade of battles for the web, but it seems they | just found a way to get back in the fight. | | Now at the IE 6 times, that meant monopoly, and it was terrible | news. | | But today, it means more competition between the giants, which | is very good for us. | sbarre wrote: | One could argue that the IE6 of our times is Google Chrome at | this point.. | impatient_bacon wrote: | Safari. | stingraycharles wrote: | Safari doesn't have the market share that IE6 had, | though. Chrome has. | dlivingston wrote: | Care to explain? Safari has one of the highest standards | compliance of any modern browser [0], which IE famously | did not. | | It has been argued with various success [1] that Chrome | is the new I.E., due to "Chrome exclusive" web standards. | | [0]: https://html5test.com/compare/browser/safari-11.2/ch | rome-30/... | | [1]: https://news.ycombinator.com/item?id=16070595 | sgtfrankieboy wrote: | If you are going to compare browsers make sure you aren't | comparing against a version of Chrome from 2013. | | Here is the correct comparison: https://html5test.com/com | pare/browser/safari-11.2/chrome-68/... | | Which clearly shows its the worst of the bunch. | | Edit: Also just noticed, the latest Chrome version that | the site has is 68. We're currently on 80+ | nickpresta wrote: | A more up-to-date, although not complete, comparison is | available here: https://caniuse.com/#compare=firefox+74,c | hrome+80,safari+13 | artursapek wrote: | I also can't run Safari on my Windows or Linux machines. | lexicality wrote: | Not for Javascript it doesn't. | | Plus because it's tied to the OS and the phone determines | the maximum OS you end up with a bunch of users stuck on | ancient and buggy versions. | | This is to say nothing about the remote debugger | purposefully locking you out of older versions for no | reason to make debugging them harder. | jbjorge wrote: | I've worked with projects that used iframes in safari. It | had some of the weirdest bugs. Some random times it | didn't render changes to the DOM. Sometimes when clicking | input fields it would focus the surrounding iframe | element. | | A webview in iOS could sometimes crash system wide. Not | enough to restart the app. You'd have to restart the | device. | | Felt like a sitcom when I had to ask customers if they'd | tried turning it off and on again. | saagarjha wrote: | Chrome is pushing version 80, I'm not sure why that | website is using a version from seven years ago... | Spivak wrote: | I think the honest truth is that a lot of developers see | Safari similarly to IE because Firefox and Chrome are | quick to jump on and ship new features and "if only | Safari kept up" they could be used "everywhere". Combined | with the fact that iOS is large enough that you can't | just drop Safari support and tell them to use Chrome. | | It's a weird world where webdevs apparently ideally just | want everyone on the 6 second old version version of | Chrome. I totally get it -- it's an absolutely rational | stance but it feels a lot like how devs felt about IE6 at | the beginning. | oorza wrote: | You're right, IE6 was amazing at the time. It made a ton | of things possible that previously hadn't been, and the | standards bodies were lagging behind it. Had MS actually | kept updating IE6 and kept it ahead of the standards, the | standards would never have mattered, and we'd never have | developed this sick taste for IE. No one hated that they | had a monopoly, we hated that they had a _stagnant_ | monopoly. | manigandham wrote: | Safari is way behind Chrome and Firefox on web features | and has all kinds of proprietary rules on existing | implementations. | | It's not even required or the default install on any OS. | And it has rapid updates that constantly test new | features and improve performance and security. | | Any "exclusive" features are just early testing for later | standardization. It's Safari that's lagging in | implementing them. | lucideer wrote: | In fairness to Microsoft, they did at least spend a little bit | of time considering / working toward maintaining the runtime | part, before deciding otherwise https://github.com/nodejs/node- | chakracore/issues/628#issueco... | Ayesh wrote: | Also the new Chromium Edge is making its way. This will give | some leverage on the browser front too. | dgb23 wrote: | To be honest I like this new Microsoft. VSCode is a really good | tool, C# is amazingly performant and they don't talk quite the | same BS lingo as some other big players. Also MS research | produces some really good stuff. | swyx wrote: | to be clear, Chrome's overall value to Google probably dwarfs | all those things combined. | sitkack wrote: | They could fork it, the core of the runtimework is moving to | WebAssembly anyway which is a much more tractable problem. Sure | this is a boatload of JS work to do at the interface boundary | but the amount of hard compiler and jit work that needs to be | focused on by main runtime is much lower. | | Someone at MS knows strategic and tactics. When MS and Windows | bootstrap themselves into the cloud, they will have some | software to land on. | flanbiscuit wrote: | I wonder if more people will look into adopting Deno[1], the new | node alternative by one of the creators of Node. It does not use | NPM, you pull in packages Go-style (via URLs[2]). It's supposed | to be more secure because you have to explicitly give it access | to anything (i.e. network, file system, etc). | | [1] https://deno.land/ | | [2] example import in Deno: import { serve } | from "https://deno.land/std@v0.36.0/http/server.ts"; | | Previous HN about Deno: | https://news.ycombinator.com/item?id=22102656 | threatofrain wrote: | Is deno debugging there yet? | ledgerdev wrote: | Node+NPM isn't going anywhere, but Deno sure seems like the | server based runtime of the future. | wwweston wrote: | The thought that's going into Deno about permissions and | upstream package issues have me considering it where I've | generally rejected node.js for anything serious (also | recognizing that it's probably early for production use). | zozbot234 wrote: | It's on there already. https://github.com/npm/ and | https://github.com/npm/cli | applecrazy wrote: | No, NPM _the company_ is being acquired by Github. | znpy wrote: | this should really be titled "npm is joining Microsoft" | breatheoften wrote: | (Wishful thinking ...) Does this mean the next release of npm | will be yarn v2 and that typescript will implement support for | the pnp spec so we can converge the javascript packaging space to | a sane place? | Vinnl wrote: | There already is a Yarn v2: https://dev.to/arcanis/introducing- | yarn-2-4eh1 | breatheoften wrote: | Does typescript support pnp somehow now? (That's actually the | thing I'm wanting ...). npm's cli going away was an attempted | tease (in bad-taste i think) | brenden2 wrote: | This kind of consolidation is probably not good for everyone who | depends on open source projects. Microsoft now owns a significant | portion of software distribution. | fiberoptick wrote: | Embrace, extend, extinguish. | stephen82 wrote: | Exactly! | https://linux.slashdot.org/story/20/03/16/0137200/windows-su... | JMTQp8lwXL wrote: | I can see why this comment is downvoted, because it's mostly | superficial, but also, there's some truth to this perspective. | Microsoft's acquisitions raise questions for what the open | source ecosystem of tomorrow will look like. Chrome seemed to | answer a lot of issues with browsers when it came out, but look | how many people today are uncertain now that the API's powering | the uBlock extension will be deprecated. It would be short- | sighted for us to look at Chrome's history, and then say | "nothing could ever happen to Open Source" without giving the | perspective a serious consideration. | waydowntogo wrote: | RIP NPM | thulecitizen wrote: | Yay more centralization! What could possible go wrong with | critical components being hosted by one big corporation? | jxub wrote: | NPM is joining GitHub, GitHub joins Microsoft, Microsoft joins... | ;) | skrebbel wrote: | Assuming this was an acceptable exit: I'm impressed that NPM | pulled this off. They were basically doing the "no revenue model | to speak of, hope we'll get acquired by a bigco" startup play | that was starting to go out of vogue already when they were | founded. | | I wonder to what extent they've had influence over their own | success at all though. Basically they had to hope that JS stayed | popular (it did), that Node stayed relevant (it did) and that the | entire JS ecosystem would move over to NPM (it did, but I'd say | rather despite NPM than because of it) (I mean, otherwise Yarn | wouldn't even exist, right?). | | So basically their bet was: | | - Turn NPM into a startup | | - Keep the lights on | | I bet I'm missing all kinds of key behind-the-scenes stuff, but | still, I don't know many startups that manange to successfully | exit by "just" keeping the lights on. In a weird cringey way, | it's motivating. | zomglings wrote: | Not sure how good an exit it was. Crunchbase says they have | fewer than 50 employees [0], so I'm guessing the first 10 | people did pretty well but that the rest got what amounts to a | nice bonus. | | Keeping the lights on long enough makes this kind of exit more | likely. Paul Graham has a good article about this: | http://www.paulgraham.com/die.html | | NPM did better than "just" keeping the lights on, though. They | even held Yarn at bay by adopting its best features very | quickly. | | [0] https://www.crunchbase.com/organization/npm | tdumitrescu wrote: | Here's what isaacs writes in the NPM blog post | (https://blog.npmjs.org/post/612764866888007680/next-phase- | mo...). It doesn't seem like anyone on the NPM team did great | financially from this: | | "I have a set of goals that I wrote down back then, and have | shared openly with the team. | | ... | | 3. Get a big enough exit that I can quit my job and see what | comes out of me a second time. 4. Share the rewards equitably | with the people who got npm to where it is. | | ... | | On (3), well, I'm still working a jobby job, but I always knew | that was a long shot, and "make npm a better package manager" | is a job I enjoy. And as for (4), I'm proud of the deals that | we've been able to negotiate for the team. | | It's not a kajillion billion dollar 10x startup cinderella | story, and we've taken our hits, but in the end we've done | right by our community, team, and careers, and I'm extremely | proud of what we've achieved." | daveisfera wrote: | Neither side is announcing a price and NPM has been struggling | financially for a while, so the likelihood that it was a "good | exit" is low. | austincheney wrote: | Is this a too big to fail kind of charity acquisition? | markovbot wrote: | no, this is microsoft "embracing" (buying control of) a huge | point of centralization in a software distribution ecosystem, | positioning them to have greater power over a huge number of | developers. | JMTQp8lwXL wrote: | Microsoft turned their reputation around in recent years with | developers but I wonder how long it will last. | bepotts wrote: | I think people are "okay" with Microsoft because so many | hackers have a problem with the data agglomeration and | monetization strategy of Google and Facebook, but this | Microsoft "embrace" will come to a head within the next | couple years and I just can't wait for it. | | The way people think Microsoft's embrace of open source, | GitHub, and now NPM is genuine is completely ridiculous. | Microsoft had to change because much of where the action | was is on *nix systems. Microsoft will start to use these | companies to make developers embrace Microsoft services. | It's only a matter of time. | roguecoder wrote: | I don't give any credence to the idea that Microsoft | under Satya Nadella is the same company as Microsoft | under Gates or Ballmer, much less the idea that it is | secretly lying in wait to go back to its old, far-less- | profitable ways. It has behaved differently. It is making | its money differently. It no longer stack-rank fires | people. And it is making a whole lot more money doing | things this way than it made the way it used to behave. | KarlKemp wrote: | I can't even come up with a scenario of _how_ MS would | realistically do so? Sure, making GH actions easier to | set up with Azure than AWS seems plausible, but also | strikes me as somewhat benign. | | Banning python from Github? Requiring \r\n for NPM | packages? What's the move you're afraid of? | Vinnl wrote: | One question GitLab's CEO (sytse) is rightfully asking is | whether the ability to trace code from npm back to the | repository will be available to competitors. If not, less | competition is bad for users. | | I still think this is good news, given where npm is | coming from, but it's certainly not risk-free. | roguecoder wrote: | This is where effective anti-trust enforcement is | important and valuable. | | Until we come up with better trusted federation protocols | there will be natural monopolies, but that doesn't mean | they get unchecked power. We have laws for that. | [deleted] | swyx wrote: | i think so. the words "put npm out of its misery" come to mind. | duxup wrote: | I understand some folks trepidation but where was npm going | anyway? | CivBase wrote: | Am I weird for thinking it didn't need to go anywhere? | duxup wrote: | My understanding was that financially they were not going to | last long doing what they were doing. | roguecoder wrote: | There's a difference between "not going to last long" and | "not going to return 10x to their investors". This seems | like another example of the faustian bargain of taking VC | money. | duxup wrote: | Were they returning any amount of return? | ThrowawayR2 wrote: | That raises the question of how GitHub/Microsoft plan to | profit off the acquisition though? It can't be just for | goodwill or marketing. | dpacmittal wrote: | They own the ecosystem, they can leverage it in a lot of | ways. And cost of running npm is drop in the ocean for a | giant like MS. | ecnahc515 wrote: | These companies don't need to profit off of acquisitions. | If they're going to, it doesn't have to be direct either, | it can be a method of growing their sales funnel if | nothing else, or even just acquiring talent. | mastax wrote: | Couldn't be subsidized by VC money forever. | tln wrote: | Maybe it needed to go somewhere to pay bills, or provide | upside to the options holders. | swyx wrote: | it was default going out of business so yes this saved it | from death | K0nserv wrote: | This seems like a good outcome overall. NPM being such an | important pillar in the software supply chain while having an | unviable business model and largely being funded by VC money was | never a good position to be in. There are problems with more of | the software ecosystem consolidating with a single entity but it | still feels like an improvement. | mbesto wrote: | > NPM being such an important pillar in the software supply | chain while having an unviable business model and largely being | funded by VC money was never a good position to be in. | | Why does NPM need to be funded as a commercial entity at all? | What other open source library has a private company running | its package manager? This one still boggles my mind. | fierarul wrote: | Maven Central is no hosted by Apache for example. | greggman3 wrote: | Confused why you think a service servings millions or | billions of requests a day wouldn't require money to run. Do | you think some grant magically appear out of thin air to pay | for the servers, storage, bandwidth, and maintenance? | ivanbakel wrote: | Big leap from "servers cost money" to "a package manager | requires a commercial entity". How are other language | ecosystems and package managers operating, many without | private companies attached, when they too are serving | millions of requests a day? | hobofan wrote: | Almost any other package repository is funded by donations | from companies using them or a grant from an infrastructure | provider. | timrod wrote: | For programming languages, there are several examples of | commercially run package managers: - the | Java/Kotlin/Scala ecosystem is based around maven central, | which is run by Sonatype, Inc. - Go modules are | hosted by Google. Previously, most libraries were hosted on | Github - Rust's crate index is on Github - | The Docker/Moby registry is run by Docker, Inc. (though that | might be a stretch for "package manager" :)) | zeeboo wrote: | Technically the Go module _proxy_ is hosted by Google. Even | if the proxy went away, you'd still be able to get access | to all of the packages as they're still hosted elsewhere. | It just wouldn't be as fast. | notRobot wrote: | Please don't use code blocks for regular text and quotes. | Really hard to read on mobile and narrow viewports. | monadic2 wrote: | I wasn't aware that I was a commercial entity because I use | github! | iterator5 wrote: | I think the point is that you are using a commercial | entity to host your code. There is a bill for the code | you have hosted, and you aren't the one paying for it. | dmix wrote: | It's never a problem until it is all at once and you | realize they hold all the keys. | bad_user wrote: | Maven Central has mirrors and alternatives and you can | trivially host your own repository, all you'd need is a | plain web server serving a bunch of static files. | | Some libraries aren't hosted on Maven Central actually, so | it's not uncommon to see instructions for adding extra | resolvers to your build config. | | The Java ecosystem isn't as dependent on Maven Central as | the JavaScript ecosystem is on npmjs.com | brunoborges wrote: | Almost every library out there is on Maven Central. Even | Oracle JDBC drivers are now (finally) on Maven Central. | | If MC goes away as it exists today, the Java Ecosystem | will take a huge hit as almost every open source project | would stop building in CICD environments from the get-go. | thu2111 wrote: | If it vanished _instantly_ then yes, but a huge number of | packages on Central are mirrors from jcenter. There are | not only theoretical competitors to Maven Central but an | actual widely used one (jcenter /bintray), which is | easier to use anyway. There's also jitpack too. So people | could migrate pretty quickly to alternatives. | Twirrim wrote: | I'm not sure I like the continued consolidation of all things | tech around just a few large companies. | | That's generally not a good place to be. | Barrin92 wrote: | given the significant returns to scale in the tech industry | this is a pretty natural development and it happens in most | tech sectors over time as monopolistic competition generally | outperforms the 'bazaar' economy. | | 'small business' is only the equilibrium in sectors that | can't increase aggregate output by growing or capital | investment like say, the restaurant industry. | sneak wrote: | I do not consider the largest distributor of proprietary, | closed-source spyware (Windows) owning the fastest growing open | source package manager to be a good outcome, personally. | ajay_sibri04 wrote: | Much better than google owning it | K0nserv wrote: | It depends on what the alternative is. When NPM starts | running out of money to run the service what would happen? | More VC, but only to a point and the firms would be | increasingly be influencing NPM to make money by any | means(probably not good for anyone but the firms). | Alternatively a cash strapped NPM fails to invest in security | and availability of the service leading to widespread outages | or worse a large scale supply chain attack facilitated via | the registry. | mbesto wrote: | > It depends on what the alternative is. | | Ruby Gems, PHP composer, PIP, etc. would all like a word | with you.... | | https://rubygems.org/pages/sponsors | | https://www.python.org/psf/ | rodgerd wrote: | Yeah, and the PSF is worried that the possible | cancellation of PyCon could send the whole foundation | broke. | | The fact that there's a bunch of critical infra run on a | precarious volunteer shoestring is not a good thing. | K0nserv wrote: | That's a path but NPM already being a company with | signficant VC investment would a transition to such a | model workout with the existing stakeholders? Also NPM is | quite a bit bigger than both the Ruby and Python library | spaces. | wongarsu wrote: | Why would NPM run out of money? NPM is the primary vendor | for worry-free distribution and management of private | JavaScript packages for $7/month/user. In a time where | bandwidth is basically free (outside AWS/Azure/GCP) that | should surely pay for server costs and a handful of | developers. | | It probably isn't going to 20x VC money, but it sounds like | it would be profitable to run as a business. | mulmen wrote: | This is sad to read. Why does every project have to be | profitable? If NPM is useful users (companies and people) | can invest time or cash to support the operations and | continued development. This foundation model has been | successful across open source and prevents one company from | changing the direction of a project to fit their own needs | at the expense of everyone else. I think this was critical | to the continued growth of open source software over the | last two decades. If this trend of selling out to massive | corporations continues it will be a major step backwards. | K0nserv wrote: | To be clear that's not what I am arguing here, I agree | that package registries should, ideally, be owned and | supported by the community. However NPM already had | fairly significnat VC investment and as such any | transition to a community supported model would be | challenging. | | The acquisition can be a good outcome for the current | situation without it being the ideal state of things. | Supermancho wrote: | You aren't the only one. Most users are too young to | understand how predatory Microsoft has always been. Can't | wait for the "npm won't publish my package because it | circumvents something in Windows" or whatever. Give it time. | golergka wrote: | And pulling a package from a custom url is what, one line | of code in this package documentation? And the moment it | happens, this package will be on top of HN? | | I understand the concern about MS business practices, but I | don't think it applies to environment where transactions | (as in, importing someone's package or submitting a pull | request to it) don't involve any contracts or money. | rafaelvasco wrote: | It may appear blaming Ms forever for their past actions is | a good idea. It's not. Those actions and decisions came | from certain people. They're long gone. I look only to the | present. MS decisions and actions these past few years have | been pretty solid imo. We must always assume the best of | everything, not the worst. Not matter what. It may appear | naive, but it's the only sane way. | Aeolun wrote: | MS's decisions outside of everything to do with windows | 10 anyhow. | bdcravens wrote: | I am old enough (42) to remember those days, but honestly I | don't feel that threatened by them. I remember their EEE | days, and for a long time I haven't seen much of the same | behavior. | bromuro wrote: | Same here (40). I was with Ballmer singing "developer | developer developer"... i think his legacy is not that | bad. The company was not ready to grasp the idea of open | source at these times, but the principle holds. | allover wrote: | Tbf Microsoft have won back a lot of good faith with | developers due to projects like VS Code and TypeScript, | even for those of us who remember their past. | | And we're yet to hear of any negative impact of their | Github acquisition (afaik - correct me if wrong). | sneak wrote: | VS Code is also spyware; I am not sure that this argument | furthers your intended point. | | The fact that it is open source and popular is not | sufficient on its own. It had to be forked (vscodium) to | show basic respect for the user's privacy and system | resources. | allover wrote: | It's true insofar as VS Code is widely loved by web | developers. | | So it "furthers my intended point". | charrondev wrote: | No fork is required. If you build before from the source | in its main repo, there is no tracking included by | default. | | It's builds released by Microsoft that have all of their | specific stuff added in. | chrisoverzero wrote: | VSCodium say they're not a fork. | | > This is not a fork. This is a repository of scripts to | automatically build Microsoft's `vscode` repository into | freely-licensed binaries with a community-driven default | configuration. | mbesto wrote: | > Tbf Microsoft have won back a lot of good faith with | developers due to projects like VS Code and TypeScript, | even for those of us who remember their past. | | Those are great until they're not. It's why it's called | "bait and switch". | | > And we're yet to hear of any negative impact of their | Github acquisition (afaik - correct me if wrong). | | _ANY_?! Heh, do a quick search just on HN and you 'll | find it pretty quickly. | michaelmior wrote: | I did search, didn't find it quickly. Could you share | some sources of the negative impact? (I'm legitimately | curious as my use of GitHub hasn't led me to notice any | change.) | allover wrote: | I know what 'bait and switch' means, just like I also | know what FUD means. | | Next you'll call them Micro$oft. Come on now. | judge2020 wrote: | Before someone else comes along and writes a monologue, | the biggest downside might be how it handled (didn't | break) its contract with ICE[0]. If the acquisition | didn't happen, old GitHub might've dropped the contract | immediately upon enough employees speaking about it. | | 0: https://news.ycombinator.com/item?id=21412600 | kevingadd wrote: | Lots of big tech firms are government contractors, and as | we've seen most of them are unwilling to drop government | contracts (ICE, DARPA, etc). So this problem would arise | with almost any large benefactor. I would've liked to see | GitHub drop ICE though, personally. | manigandham wrote: | That's a subjective political opinion of a far-left vocal | minority. Not everyone has an issue with ICE (a federal | law-enforcement agency that stops criminals and saves | lives) nor finds a problem with a company legally | providing services to the government. | thu2111 wrote: | Others see that as an upside. ICE today, who knows what | tomorrow. The sort of activists who wanted that have all | kinds of random targets. No company wants to deal with | suppliers suddenly blacklisting them because the hard | left decided they're evil. | allover wrote: | That's a fair point - thanks for the reminder :| | jbkiv wrote: | Agree, What would you say would have been a better | outcome? Google? Facebook? Microsoft has changed quite a | lot, and in a good way. | bdcravens wrote: | Then you must not like React or Angular, since the owners of | those projects are the largest spyware and aggregators of | personal data in the history of humanity. | sneak wrote: | Software and services are not the same thing. | | For some examples: RMS being a douchebag has nothing to do | with the usefulness of gdb, nor can that circumstance | affect the utility in any imaginable scenario. | | Microsoft setting censorship policies (aka ToS) on a | website they own and control directly affects the utility | of npm/yarn/clients. Their website, their rules. | filoleg wrote: | Well, this comparison seems to be close enough. What | about VSCode and Github itself? | sneak wrote: | The time for GitHub is over. I have moved all of my | repositories away from there that do not depend on | GitHub-only integrated services, and am migrating my DNS | and domains/hosting off of those integrated services this | week. You should too. If you work there, you should quit. | | https://sneak.berlin/20200307/the-case-against-microsoft- | and... | | VS Code has had to fork to remove the unethical spyware | portions within it placed there by Microsoft: | | https://github.com/VSCodium/vscodium | kailanb wrote: | Just for reference, vscodium is not a fork to remove | Microsoft's code - it is just a build tool for the open | source repo as explained in the README. | | "When we [Microsoft] build Visual Studio Code, we do | exactly this. We clone the vscode repository, we lay down | a customized product.json that has Microsoft specific | functionality (telemetry, gallery, logo, etc.), and then | produce a build that we release under our license." | | "When you clone and build from the vscode repo, none of | these endpoints are configured in the default | product.json. Therefore, you generate a "clean" build, | without the Microsoft customizations, which is by default | licensed under the MIT license" | filoleg wrote: | Good for you. However, the general sentiment doesn't seem | to behave the same way. I haven't noticed a mass Github | exodus at all, aside from some people on the internet | being vocal about it for the first month after the Github | acquisition. Same with VSCode. | | I realize this is just pure anecdata and not a | legitimately researched observation, but I don't know a | single dev in real life who either switched away from | Github or VSCode due to those concerns, despite having a | wide variety of dev friends from all kinds of | backgrounds, including big tech devs, non-tech company | devs, fully remote devs, self-taught devs, small startup | devs, outside of the US devs, freelancer devs, etc. | smichel17 wrote: | I know a couple of projects that switched to gitlab. I | use gitlab for my personal projects. I've abstained from | moving Red Moon away from GitHub because it's still where | people are, and I have some doubts about GitLab's VC- | funded model (will they be able to stay as open | forever?). I also want to consider other options, like | SourceHut. At the same time, it is in the back of my mind | and I am ready to move away at the first sign of | extend/extinguish. | [deleted] | ahupp wrote: | What's the specific outcome you're concerned about? | grumple wrote: | Exactly, especially given the instability over at NPM. | Hopefully MS / Github can be a stabilizing influence both | financially and culturally. | hinkley wrote: | It does have a bit of a 'value add' feel to it. | | But, you know, we've had decades of companies whose 'business | model' is just their exit strategy... | [deleted] | cycloptic wrote: | It was already consolidated. The vast majority of public npm | packages are already hosted on Github. The dependency on them | has been there since the beginning. | yjftsjthsd-h wrote: | I would expect that moving git repos is easier than replacing | NPM? | cycloptic wrote: | It is, but who is doing that? The users of NPM all are | choosing to stay on Github. | davnicwil wrote: | Yes, indeed - and the dependency is literally right there on | the technical level. For years, you've been able to specify a | version of a package as a github repo's branch HEAD. | | npm i some-package username/repo#branchName | ChristianBundy wrote: | Bonus points: npm install | username/repo#semver:^1.2.3 | | The big problem is that lots of Node.js modules don't push | their tags, so there are issues on lots of repos begging | maintainers to push their Git tags so that we don't have to | use the npm registry. | | JavaScript is an interpreted language -- as long as you're | only downloading source code from the registry there's | really no reason to use a registry instead of the plain old | Git repository. | sneak wrote: | There is a build/transpilation step. | lioeters wrote: | A common issue I've had with using Git repos directly as | Node.js modules, is that many projects are | transpiled/built before publishing to NPM. Depending on | specifics of that build process, it may not work out of | the box (or at all) from a node_modules folder. | | With NPM acquired by GitHub, I can imagine them "filling | in some steps" by leveraging the fairly new Actions | feature, so that repos can provide built artifacts, the | same ones as published on NPM. The deeper integration | will be an interesting development to watch. | oefrha wrote: | Repos have been able to provide artifacts since forever | ago; they just don't sit in the tree. While you can | commit from an action, I'm not sure that's a great idea. | lioeters wrote: | You're right, artifacts in GitHub repos have been around | a long time. I suppose what I was missing was a way to | point to a specific built artifact (like a tar.gz from a | release) as a dependency, from package.json. As far as I | know, it's not possible yet with npm. I can imagine that | will be covered somehow with deeper integration of GitHub | and the NPM package repository. | IsaacSchlueter wrote: | Yes, this has always been possible. Just specify the | tarball url instead of a version or range. | hobofan wrote: | How is a convenience feature a dependency? The same command | exists as "gitlab:username/repo" variant. The GH variant | just happens to be the unprefixed one as it has by far the | biggest userbase. | davnicwil wrote: | Perhaps dependency was the wrong term, but my point is | what you said - they've built it in as a convenience | feature precisely because it's such a common usecase - a | better way to say it might be they're inseparably linked | tools / tightly coupled even on the technical level. | ginko wrote: | Am I the only one surprized that there's an npm Inc. to be | acquired? | | Why is there a for-profit corporation behind every open source | project these days? | KaoruAoiShiho wrote: | There's plenty of alternatives already so I don't see MS being | able to do anything untowards. /shrugs, I'll panic only if | something bad happens. | spacephysics wrote: | https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extingu... | | Whelp, time to look for backup solutions for when Microsoft | continues their strategy. | | Even today there's an article about github flagging (re shadow | banning) a user with 10k+ lib users, and no response from them as | to why the ban occurred. | | Thinking of adding an "in case of emergency" link in my README | for users in case of sudden service loss. | fxtentacle wrote: | I wonder why your (entirely reasonable) comment got down-voted | so much. This is exactly the risk why people prefer a | distributed and decentralized internet over one where all open | source is stored in one central Microsoft subsidiary (e.g. | GitHub). | golf1052 wrote: | I think people are tired of EEE being posted on every | Microsoft related thread even though Microsoft has been a | very different company for at least 10 years. | | I do agree with the concerns of open source consolidation | though. We need to find better ways of supporting open source | projects instead of having them being bought by "large | company". | zdragnar wrote: | The central repository is entirely optional when using npm | the cli tool; many companies use a proxy repository (such as | artifactory) to host their internal packages and cache public | ones already. | | Anyone can already run their own, or install from remote git | urls (not just github) as well. If the new organization | undermines the community, the community can easily move. | | NPM the company has had a significant number of missteps, and | them getting better oversight and removing the need to be | profitable will likely be better for everyone in the long | run. | rootlocus wrote: | Not that many companies had proxies when leftpad was taken | down. | cfv wrote: | Microsoft does have a much better track record in terms of | keeping their products alive than other Way Way Large companies | that could have made this acquisition, and for that I'm pretty | glad. | | That said, and just in case their notoriously warlike legal team | manages to fumble this somehow, I'd like to take the opportunity | to remind every other frontender that Verdaccio | (https://verdaccio.org/) exists, is easy to implement, and | relatively low maintenance. | 29athrowaway wrote: | Hopefully they don't drop Linux support like they did with Skype, | Minecraft, Xamarin[1], Corel Office and a long list of products. | | Their strategy from my perspective is to ensure Linux does not | become a competitor for their desktop OS. | | 1: it never had Linux support. | chungy wrote: | Skype returned with a Linux client, and Minecraft never dropped | Linux support at all. | 29athrowaway wrote: | Minecraft for Linux does not have the same features. | mekoka wrote: | Next in line is Canonical. | petey283 wrote: | I worry that this is too much consolidation. | Analemma_ wrote: | I hope you're spending lots of money at independent places | then, because this is the inevitable result of the current "OSS | infrastructure funded by VC charity" model. NPM was losing | money, as was GitHub when Microsoft bought that. Under such | conditions, getting bought out by a megacorp is the only path | forward. | no_wizard wrote: | I see this as a straightforward play, simply put, I think (to | summarize, perhaps a little to broadly) | | - They want to sell Azure Services | | - Most (if not all) NPM packages already live on github | | - NPM has a business revolving around package management, | including private npm instances and increasingly around | node/package security | | - This being primarily a business that will sell to has-money | businesses (e.g., medium to large businesses, Fortune 500 | corporations etc) | | So, given all of the above, it makes sense to have a vertical | selling into one of the fastest growing package management | ecosystems where you can be the "full stack" provider of | developer/enterprise tools. | | I don't think its anything beyond this, personally. I expect to | see a lot of pushes to integrate with Azure Pipelines, cloud | deployment etc. centered around this. | | I wonder if they'll buy Passenger[0] next, its a popular (in my | experience) to deploy nodejs applications. | | [0]https://www.phusionpassenger.com/library/ | sytse wrote: | Thanks to Microsoft/GitHub for this acquisition. NPM is essential | to the Javascript eco-system and it is hard to have a business | model for just a registry. In the ruby eco-system the awesome | Ruby Together https://rubytogether.org/ was started to run the | registry. In this case one of the worlds most valuable companies | will run it, which means it doesn't need a not-for-profit. | | Regarding "trace a change from a GitHub pull request to the npm | package version that fixed it" will there be an API to add a | source in case the change was made outside of GitHub? Although I | recognize that the vast majority of changes to npm packages | happen on GitHub. | Vinnl wrote: | That must make you nervous over at GitLab, no? GitLab's | integrated workflow is one of its main selling points (I love | it), and GitHub now seems to be well underway to cross that | moat. | mavsman wrote: | Reminds me of what happened with Cloud9 and VS Code. First, | Cloud9 was awesome for allowing devs to code remotely. Then | once VS Code became the best editor out there, they added | remote host support (among other things) and now Cloud9 | caters to a different audience entirely. | sdesol wrote: | It is important to understand that the "one single workflow" | was very much what VSTS (Microsoft's GitHub competitor before | they bought GitHub) was providing. It is very evident that | Microsoft's enterprise background is shaping how GitHub is | evolving. | | GitHub is now very much focused on the end to end life cycle | now that they have "GitHub One". | sytse wrote: | It is exciting to see that having everything in a single | application is being validated by GitHub. Last year it was | very clear they are switching from a marketplace model to a | single application by including Verify (CI), Package, and | Secure. | | We think Git(Lab|Hub) will become the two most popular | solutions and we look forward to this competition | https://about.gitlab.com/handbook/leadership/biggest- | risks/#... | | I think the companies that should be nervous are ones that | have only one stage or ones that have multiple stages but as | a suite of applications instead of a single application | https://about.gitlab.com/handbook/product/single- | application... There are a lot of these | https://about.gitlab.com/devops-tools/ | tenderlove wrote: | Just to clarify, RubyCentral http://rubycentral.org is running | the RubyGems registry. | jrochkind1 wrote: | It's confusing. RubyCentral pays for hosting and "ops" (not | sure how much 'ops' staff time, if any?), but I think not | development? And RubyTogether hypothetically pays for | development (some but not neccesarily all that's needed), | which can include new features but also required maintenance | (we all know software requires care and feeding, it's never | "done")? | | But I could have this not right? | | It has been confusing for a variety of reasons. | | And I think there are mixed reviews with how well it's going | overall, especially the RubyTogether part. | sytse wrote: | Thanks for that clarification, I was not aware of that. | Thanks RubyCentral! | dzonga wrote: | in as much as I love Github, putting our eggs in one basket as | developers is gonna burn us soon or later. we need redundancies | in the system, that if one thing goes down, the world can go on | as normal. now we're centralizing github as a single failure | point. we've already seen the the panic outages of Github or S3 | cause. | TAForObvReasons wrote: | NPM's blog post: | https://blog.npmjs.org/post/612764866888007680/next-phase-mo... | craftyguy wrote: | title should be "microsoft acquires NPM" | thawkins wrote: | Time to get behind Deno | | https://en.m.wikipedia.org/wiki/Deno_(software) | | Built by the node team to replace node. | ilaksh wrote: | For how much money I wonder. | franciscop wrote: | I'm surprised there's not a single mention of "Microsoft" in this | or the npm announcement [1], given the old-evil-history of | Microsoft and the new-nice Microsoft we have today. | | I would expect that there was at least a mention, considering the | reason that most modules in npm are still in ES5 is _exactly_ | because of the monopolistic practices that Microsoft followed | back in the day which makes Internet Explorer still relevant. | | Not negative, not positive comment. Just surprising there was no | mention. And I do think Microsoft is doing a great job recently | with Open Source in general. | | [1] https://blog.npmjs.org/post/612764866888007680/next-phase- | mo... | FooBarWidget wrote: | Microsoft is aware of their reputation. So much that they even | have a policy of not allowing Microsoft+Github co-brand | promotions. They want the Github brand to stay strong instead | of being diluted into some mix of Github and Microsoft. | nixpulvis wrote: | Sleez'n their way into our hearts. I can't say I really blame | them, but god I hate it all. | epicide wrote: | What does a trustworthy Microsoft look like to you? | sam_lowry_ wrote: | Divided into a handful of independent companies, maybe? | hajile wrote: | Chapter 7 Bankruptcy where they get acquired by a newly- | reformed Sun Microsystems (where no stock is owned by | Oracle or Oracle shareholders). | | EDIT: I'm mostly kidding, but you can't really expect | true change of morals when the vast majority of the upper | management is the same under the new CEO as under the old | one. | ChuckMcM wrote: | As a former Sun employee I love this comment, but in all | fairness Sun did have its own level of sleaze in the C | suite (neither Eric Schmidt nor Scott McNealy would | really do well as ethical leader exemplars) | | That said, I'm thinking Moon Microsystems :-) Not as big | or as hot as Sun. (ok that is a bad punalogy) I did get | the domain though, it was available and I couldn't | resist. | 205guy wrote: | Under certain conditions, can eclipse the the Sun. | "Eclipse" ... now there is a name I haven't heard in a | long time. | | But can you make a cool logo out of "Moon"? | CSSer wrote: | At the risk of sounding somewhat naive, I think people do | have the capacity to grow over time. Perhaps part of the | reason why Microsoft has seemingly turned over a new leaf | in recent years is that upper management has learned from | their past mistakes? I do see your point though, and I | think it's stuck in the back of a lot of our minds. | FooBarWidget wrote: | Not to mention that upper management doesn't consist of | the same people as 15 years ago. | adventured wrote: | Most of Microsoft's anti-trust related behavior was in | the 1990s. Closer to 25 years ago. Merely a quarter of a | century. | | There's something hilariously farcical about holding a | grudge toward Microsoft for a quarter of a century. | yebyen wrote: | It's not so much a grudge as a reaction, call it an | immuno-type response. I shed my MS-OS Windows Desktop | addiction over 20 years ago to become a desktop Linux | user and I still see my co-workers struggling every day | with many of the same issues I haven't had to cope with | anymore since then. | | Ever since I have been able to get the Microsoft out of | my systems, I find myself naturally predisposed to keep | it out. I am not against Microsoft, I really am a fan of | a lot of the open and developer-focused things they are | doing, certainly not least of which is their support for | Kubernetes through Azure, but this does not make me more | receptive to going back to living in a Microsoft OS- | flavored ecosystem today, it just is not happening for me | and it's nothing to do with holding a grudge or similar. | | I use a Mac now because it was provided by work, if they | offer me a trade for a Windows machine I would probably | consider it because of the progress made by WSL2, but our | group policy lags somewhat behind and certainly not on | insider ring, so none of my coworkers have been able to | try WSL2 on their work-provided Windows machines, or | likely will for some time, and that makes me seriously | think twice about it. | | My natural inclination is that I would much rather | install Linux as the host OS so I have control over | things like when updates get applied, or whether a reboot | needs to take place immediately, in spite of the struggle | that sometimes comes with that, it is really much better | to have the source and keep the capability to control | your own hardware. And then only run Windows in a VM | whenever it is really needed. (In other words, to be able | to occasionally run Windows apps in a similar way as I do | when I have to use them on a Mac.) | SloopJon wrote: | Microsoft's corruption of ISO to standardize Office Open | XML is much more recent than that. | prepend wrote: | I think Sun was worse than MS. Your scenario would | terrify me. | | Sun's hardware was expensive although their software was | nice. Their handling of Java put me off them and led to | this current state with Oracle. | | They had many positives, but I'd rather have old | Microsoft than old Sun if I had to pick only one to eat | everything. Definitely prefer new Microsoft. | squarefoot wrote: | "What does a trustworthy Microsoft look like to you?" | | An oxymoron? | smolder wrote: | To me it looks like water that isn't wet. PR (propaganda) | and time will improve their reputation, but the | "commodify your compliment" strategy, the intent to | dominate markets through anticompetitive behavior... | Those things aren't gone. Big tech companies (like most | big business) don't prioritize public good over profit, | so they really don't deserve anyone's trust apart from | trusting them to seek profit. | FooBarWidget wrote: | Maybe. But until someone comes up with a competitive | alternative, that is a mood point. | swebs wrote: | One broken down into smaller companies through antitrust | rules. | cmroanirgo wrote: | Sightly off topic, but relevant to your question. | | Recently I installed win10 pro and was appalled at the | way I had you jump through hoops to NOT have a m$ | account, not to mention the blatant adware. And this was | win10 professional. | | It certainly reminded me that m$ is a long long way away | from where it was in the 90s and early naughties. | | So, a good start would be a stable and private os without | all the adware and telemetry. | | PS: I use gitea instead of GitHub these days. Nor do I | use vscode, but sublime text, for the same reasons: too | much telemetry that cant be disabled permanently. | RMPR wrote: | You can use vscodium, which is basically vscode without | telemetry | cycloptic wrote: | A trustworthy Microsoft is one that has open sourced one | or more of their core products. Anything less is just | retaining their classic hostility towards outside | engineers. | nixpulvis wrote: | I don't really distrust Microsoft per se. | | I just find it tragic that the only way GitHub could | survive (I guess) was to be BOUGHT. Like why couldn't | they stay smaller, focus on what they were good at, and | standardize with the community all the integrations in an | orderly manner? | | Although, Microsoft has shown they care more about the | developer community than Apple as of late. So for that, I | can at least say my trust is rising. But it's a bit too | late for me, I'm happily running Linux for most of my | daily life. | Kuinox wrote: | Microsoft always took care of the developers. | sylens wrote: | Microsoft's stance lately is that it's great if you want | to run Linux - they want to provide tools for you to use | there as well. | irrational wrote: | I've been a developer for nearly 25 years. I'm not sure | if there is anything MS could ever do to regain my trust. | Unfortunately this seems to be the way of large tech | companies. At one time I thought Google was the best | thing ever (don't be evil). Now I find that I view Google | in much the same way as I do MS. A huge corrupt behemoth | that needs to be broken up. | pgt wrote: | This is the curse of globalist behemoths. Small companies | is where it's at. Localism. | crispinb wrote: | Nonsense. There is hardly a local government in Australia | not hopelessly corrupted by local real estate interests. | In many nations local corruption is endemic right down to | every neighbourhood police station. Size isn't the | question: money's corruption of power operates at all | scales. | pgt wrote: | Size is absolutely the question. There is always | corruption, but in small municipalities at least the | scale of corruption is contained. In a sufficiently local | area the corrupt has to brush shoulders with his | unwilling benefactors and be shamed. | crispinb wrote: | Empirically, that's plainly false. Corruption declines, | on any level, when the right policies & incentives are in | place. | BurningFrog wrote: | I try to not anthropomorphize companies. | | They're made up of many small and hardly interconnected | parts. | | Whoever made some despicable decisions 25 years ago, | almost certainly don't work there anymore. | kortilla wrote: | Gates just finally stepped away from the chair. When that | shit comes from the top, it gets baked into the culture | and has a staying power beyond any tenure. | ocdtrekkie wrote: | I definitely saw Microsoft-of-the-90s as corrupt and | harmful, and I definitely see Google-of-today as corrupt | and harmful. I am not wholly opposed to the idea that | both are bigger than companies should be allowed to be. | | But apart from the fact that they followed the | unfortunate modern trend to add telemetry to things, I | can't really say Microsoft has done anything particularly | offensive to me in the past... nearly a decade? | | Just because you've been a developer for 25 years doesn't | mean you should evaluate a company based on 25 year old | events. | jakelazaroff wrote: | One especially odious thing recently: GitHub works with | ICE to round up and terrorize undocumented people and | their families. https://www.latimes.com/business/technolo | gy/story/2019-12-04... | kortilla wrote: | If you want an action to be made legal, you legalize it. | Don't blame the enforcement of the law. It makes for | great virtue signaling but is useless for bringing long- | term change and it doesn't help provide a stable | environment for people illegally in the country. | jakelazaroff wrote: | ICE itself routinely breaks laws in trying to capture | undocumented people. But to speak to your point directly, | I would _love_ to see immigration reform. Until then, | I'll absolutely keep speaking out against ICE. That's not | "virtue signaling", it's just advocating for a cause I | care about. | | Furthermore, basically _everything_ Microsoft did that | made developers hate them is legal. Why is it okay to | hold a grudge for "embrace, extend, extinguish" but not | for aiding and abetting an organization that consistently | violates our civil liberties? | noelherrick wrote: | The legislative process is not the only feedback system | that is enshrined in the US constitution, else there | would be no mention of public gatherings or protests. | What you suggest is a false dichotomy. | jchw wrote: | In my opinion Microsoft has done a great job as long as | you can completely ignore everything about Windows 10. | | https://hothardware.com/news/microsoft-changes-offline- | accou... | | https://www.howtogeek.com/519572/microsoft-is-testing- | ads-in... | | And that is all recent, on top of all the other stuff | they won't fix, like issues where file extensions | magically reset to Windows defaults, nagging you to just | please try Edge because its better for real this time, | and the unavoidable mandatory Candy Crush - seriously, if | you install with no internet connection, it will keep a | placeholder there for you that will install as soon as | you're online. | | The telemetry issues are annoying too, not because they | exist but because you have to read a books worth of | literature to understand what they chose to document. | Seriously: | | https://docs.microsoft.com/en- | us/windows/privacy/configure-w... | | Windows 10, I _wanted_ to like it but I can hardly | tolerate it. Has Microsoft changed? Maybe, but apparently | the Windows team didn't get the memo. | dr-detroit wrote: | You should try Windows 10 Enterprise | ocdtrekkie wrote: | I would generally agree Windows looks more like | traditional Microsoft than many other arms of their org. | | And the Candy Crush thing... like, if it was just Home | edition? Fine. If it was even smart enough to realize it | need not preinstall that on a domain account (the | installation of UWP apps is technically per-user), like, | if they'd demonstrated any recognition that Windows is | used in professional settings... I'm right there with you | on this one. | | However... | | > like issues where file extensions magically reset to | Windows defaults | | https://devblogs.microsoft.com/oldnewthing/20190225-00/?p | =10... is probably the best response to that. Given the | number of Windows app developers who do unholy things | with their apps, it's hardly a surprise. (My | understanding is Windows has a huge number of secret | compatibility shims just to keep major software vendors' | bad hacks and API misuses working.) | | > nagging you to just please try Edge | | I literally can't escape "switch to Chrome" nags, as a | Firefox user. Every Google site has at least one, | Google's home page has displayed an amazing three Chrome | popups at the same time before. I'd maybe give you this | one if they weren't waging a war on it to a far more | aggressive foe, and losing badly. | jchw wrote: | I'm a fulltime Firefox user personally, and I have not | noticed a whole lot of nag. Does it not show up under | Linux or something? | | edit: So far I've tried switching my user agent, turning | off adblock, using a private/logged out window, on docs | and search. Not that I'm doubting you or anything, but I | am surprised I've not noticed it much since switching | back to Firefox. | | It's also probably worth disclosing that I work for | Google, though at home I am using Firefox and Duckduckgo. | ocdtrekkie wrote: | This is a 2018 screenshot I took: https://pbs.twimg.com/m | edia/DoEPgo2V4AA4Ql5?format=jpg&name=... | | Your mileage may vary on any given month, as Google | frontend code seems to come and go regularly and | randomly, indeed varying by platform, OS, and lunar | cycle. | dcgudeman wrote: | Well you certainly picked a username that reflects your | views. | irrational wrote: | What do irrational numbers like phi have to do with the | lack of ethics of large corporations? | [deleted] | loudmax wrote: | For most businesses, Microsoft still holds a monopoly | position on desktop OSs. For a lot of smaller IT | departments, this bleeds into back-end servers as well. | | Microsoft has the Windows Subsystem for Linux, allowing | Linux binaries to run on Windows. How about the reverse? | Get WINE to the point where Linux (or FreeBSD or some | fully source OS) can reliably run Windows binaries. | | Along the same line, provide portable libraries to allow | other office suites to reliably edit MS Office files | (docx, pptx, etc). Maybe Adobe or someone will come up | with a commercial competitor, instead of just | LibreOffice. | | Make Windows and MS Office a choice, rather than a tax | businesses have to pay to be compatible with everyone | else. That would go a long way to establishing trust. | [deleted] | ocdtrekkie wrote: | Microsoft is arguably working on it: They offered up | exFAT support to Linux, and it's been added to the | kernel. SQL Server being supported on Linux is _huge_. | Probably the absolute biggest selling point to Windows- | based infrastructure remains Active Directory, and if you | 're cool with being cloud-based (I'm not, FWIW), they | offer that through Azure now. | | Windows is like three decades of legacy systems, but I | would argue many of Microsoft's recent decisions have | been at the cost of their Windows division. | craftyguy wrote: | Break up, and cease to exist. | jacquesm wrote: | Dead & gone. | zibfuddle wrote: | It would be interesting if they ended up with Brendan | Burns (creator of k8s when he was at google) in charge of | github at some point and made him like the OSS champion. | He's running all the containers and linux stuff on Azure, | so it seems like it would be a natural fit. | caoilte wrote: | Small enough to drown in a bathtub. | rch wrote: | Three product companies (Enterprise, Consumer, and | Media), an open source company (Research, Engineering, | and Collaboration), and a foundation owning all of the | patents and other licensed IP. | craftyguy wrote: | > Sleez'n their way into our hearts. | | Just like a cancer! Oh wait... | ddek wrote: | I get this in principal, but when I go to GitHub without | being logged in it just feels... well, like Microsoft. | pseudorandomguy wrote: | My fear might probably be unfounded, but NPM is an integral | part of the JS ecosystem. And given MicroSoft has .NET Core, I | have a strange feeling that they'll concentrate on npm less. | sebazzz wrote: | I think they view it as way to make Core more reliable. Core | relies community developed - npm hosted - tools like gulp and | webpack. Unlike the full Framework, Core doesn't have "built- | in" or "endorsed" bundling solution. | ethomson wrote: | Product Manager at GitHub here - I'll be the Product Manager | for npm when the acquisition closes. I agree - npm is | definitely an integral part of the JavaScript ecosystem. The | npm package registry will remain free for public projects. | We're going to work to ensure that the service is stable and | accessible, and ready to serve the next million packages. | | This is independent of what Microsoft's doing with .NET Core. | I'm excited about the work that they're doing, but this isn't | going to stop us from making sure that npm is outstanding. | Nullabillity wrote: | > I'm excited about the work that they're doing | | Sounds like it won't be shielded from the cult-like MS | mentality, then. | justinmeiners wrote: | ? This is regular PR speak. | chaostheory wrote: | This is great news for people forced to use Windows. JavaScript | being a 1st class citizen on MS platforms is being even more | cemented. It'd be great if Microsoft moved faster with Python | integration into the MS ecosystem like SQL Server. | banachtarski wrote: | I installed Windows Subsystem for Linux 2 on an older machine | just now. The MSFT of today is definitely a far cry from the | MSFT of yesteryear. Such a thing would have been unheard of 15 | years ago. | fredsted wrote: | Embrace, extend, extinguish? | Sammi wrote: | Open Source copyright licenses exists exactly to make the | extinguish part impossible. MS cannot put the genie back in | the bottle when it puts out open source software. | 2OEH8eoCRo0 wrote: | How dare they gain market share by putting out products | that people want! | tomnipotent wrote: | Can you give any examples in the last 10-15 years? | Rainymood wrote: | Currently in the embrace phase ... | kingbirdy wrote: | How would MS possibly extinguish linux? | kristofferR wrote: | Ballmer would have suggested chemotherapy. | msla wrote: | They can't. That's why I hate people using that chestnut | in relation to Linux: It doesn't work for two reasons | which stick out at me. | | Reason one is because Linux is GPL'd, Microsoft can't | extend Linux without giving its extensions back to the | community. | | Reason two is because Linux is already established in | multiple realms, so Microsoft can't bully its way into | dominance. Microsoft has a respectable presence in server | rooms, but it isn't absolutely dominant by a long shot. | Microsoft probably has something going on in the | embedded/hobbyist SBC space, but there's no path for them | to dominate there. And, FWIW, Linux owns the | supercomputer world. I also can't see IBM falling over | itself to put Windows on mainframes. | reaperducer wrote: | My prediction, that my IT department hates to hear, is that | Windows is going away. | | Microsoft doesn't want to be Microsoft anymore; it wants to | be Oracle and IBM and primarily make money off of business | consulting and the cloud. | | I think Windows will eventually become a presentation and | slowly-phased-out compatibility layer on top of Linux, | similar to the way macOS became Unix, but even less | different than its underlying OS. | | However, it should be noted that I'm not very good at | predicting things. | adamc wrote: | Very unlikely, as it would mess with backwards | compatibility and cause unhappiness of users and IT | departments. Microsoft still makes money selling Office | and other products there. | phoe-krk wrote: | Microsoft doesn't need to care about backwards | compatibility anymore, now that Wine exists precisely to | have compatibility with Windows software (including | software that even modern Windows itself no longer wants | to run). | AnIdiotOnTheNet wrote: | > now that Wine exists | | Wine is 26 years old. | phoe-krk wrote: | Agreed, could have worded it better. Now that Wine is | good enough to run most of Windows software and backed by | Valve via its Proton initiative. | Rapzid wrote: | Microsoft has 7.5X the market cap of Oracle; why on earth | would they want to be like Oracle? | dnautics wrote: | > I think Windows will eventually become a presentation | and slowly-phased-out compatibility layer on top of | Linux. | | I think this is unlikely. In many ways the NT kernel is | superior to the Linux kernel. I just wish it were open | source and didn't have the rest of windows around it. | ForHackernews wrote: | Since when has technical superiority ever determined | which product wins in the marketplace? | | The Linux kernel is ubiquitous and free-as-in-beer, so it | might win out. Android has already shown how you can | build a proprietary userland on top of it. | dnautics wrote: | > Since when has technical superiority ever determined | which product wins in the marketplace? | | Good point. | pjmlp wrote: | And how fragmentation on Linux profits OEMs, each with | their own little distribution, not giving anything back. | zip1234 wrote: | Microsoft seems to be happily improving their OS and non- | cloud products as well. They are a big enough company | that they can be competitive in both. | AnIdiotOnTheNet wrote: | If Windows goes away, personal computing basically dies | with it. Everything will be locked-down walled-garden | webshit, or community-built-jank FOSS desktops that | really want to be like the locked-down walled-gaden | webshit experience but will say it is for the user's own | good. | [deleted] | geofft wrote: | Doesn't that require actually extending and extinguishing, | though? | | WSL1 was a proprietary reimplementation of the Linux system | call ABI as an NT subsystem. WSL2 is actual Linux running | in a VM. That seems to be moving in exactly the opposite | direction. | banachtarski wrote: | Exactly. There are so many things different about today's | MSFT. Another example is Linux support on Azure. People | love their tin foil hats though. | svnpenn wrote: | Um, no you didn't. It only works with windows 10 | | https://docs.microsoft.com/en-us/windows/wsl/wsl2-install | efdee wrote: | Windows 10 runs on older machines just fine. | banachtarski wrote: | Thanks you saved me a snarky comment | ibiza wrote: | You do remember one of the original Windows NT subsystems was | OS/2 1.x, right? http://www.os2museum.com/wp/nt-and-os2/ And | look how that turned out :) | pjmlp wrote: | Actually it is a return to their roots, given Xenix. | reaperducer wrote: | _I 'm surprised there's not a single mention of "Microsoft" in | this or the npm announcement [1], given the old-evil-history of | Microsoft and the new-nice Microsoft we have today._ | | Maybe Microsoft's reputation is exactly the reason why it was | left out of this announcement. | | Sometimes a brand is so tarnished that the owner tries to hide | it from the people who hate it. (For example, Comcast - | Xfinity. I expect Monsanto to go the same way and become | Bayer.) | [deleted] | chang1 wrote: | The latter already happened[1]. Bayer offloaded most of it's | ag business (to BASF) and replaced it with Monsanto. Monsanto | has been rebranded "Bayer Crop Science". Although I'm | guessing much for the same reason, Monsanto never rebranded | any of the dozens of seed companies it acquired over the | years (e.g. Dekalb, Seminis, Asgrow, etc.) | | The same also goes for Charter - Spectrum. | | [1] https://en.wikipedia.org/wiki/Monsanto#Sale_to_Bayer | haecceity wrote: | > considering the reason that most modules in npm are still in | ES5 is exactly because of the monopolistic practices that | Microsoft followed back in the day which makes Internet | Explorer still relevant. | | Could you tell me more about that? | oever wrote: | Microsoft wants to host as much information as possible so it | can collect data on developers and users. It is very hard to | avoid giving data to Microsoft. GitHub, NPM, LinkedIn, Office | 365, Teams, the lock-in is still alive. | | A decentralized web or a non-for-profit like Wikipedia is a | much better model for these infrastructure projects. | divbzero wrote: | Git was designed to be decentralized from the start. Is there | a way to revitalize that heritage? | | Discoverability and pull requests are two big benefits that | GitHub has offered. Could we create decentralized open source | solutions to provide those benefits? Are there other benefits | that we'd need to provide to have viable alternatives to | centralization? | phoe-krk wrote: | https://notabug.org/peers/forgefed is one attempt at that. | [deleted] | jacquesm wrote: | I'm not using any of those. | mundo wrote: | Yes, why is this not titled "Microsoft acquires npm"? | wutwutwutwut wrote: | Would be super strange if titles always referred to the top- | most parent company. Every time Google does something the | title should be referring to Alphabet? Please no. | smichel17 wrote: | The other way around, and in fact it already is that way -- | we often say stuff like "Waymo, Google's self-driving car | project", because we know who really runs the alphabet | show. | dwightgunning wrote: | My first reaction was ... "so Microsoft". I'm with you on the | positive path Microsoft have been on with OSS but also recall | the not-so-recent history. It'll be interesting to see how this | plays out. | bad_user wrote: | I don't follow. | | Why would there be a mention of Microsoft? That many modules in | npm are ES5 is completely irrelevant for npm's purpose. | | And Microsoft changed, how exactly? | | And why are you advertising for them? | chrisweekly wrote: | Microsoft bought Github less than 2 years ago. | tedmiston wrote: | Microsoft acquired GitHub. | | https://news.microsoft.com/2018/06/04/microsoft-to- | acquire-g... | bad_user wrote: | Yes, so what's the relevance? | whoisjuan wrote: | I mean. It's a subsidiary. I understand your sentiment but | mentioning Microsoft would be like signaling that GitHub | doesn't have any autonomy which is quite the contrary to what | Microsoft said when buying it. So don't expect sudden sincerity | on this. There's a reason why they haven't added Microsoft | branding to areas like the footer. | fxtentacle wrote: | ... and everyone knows that big corporations always speak | purely from their open heart when they sign large acquisition | deals. | tylerchilds wrote: | well now I do ;) | cpr wrote: | Interesting subtle implications that the NPM paying users are | going to be moved to Github's distribution system, while | maintaining the OSS version of NPM for everyone else. | fxtentacle wrote: | Oops. So NPM will go down, soon. | | I just finished reading this related HN post "How GitHub blocked | me (and all my libraries)" | https://news.ycombinator.com/item?id=22593595 | triceratops wrote: | There's a difference between NPM the client and NPM the | registry. You can point the client to any registry you want - | there are a _ton_ of options. | mceachen wrote: | What other public registries are there, besides yarn's mirror | of npm's registry? | triceratops wrote: | I didn't say public registries. | aikah wrote: | Who predicted it 5 month ago? hmm? | | https://news.ycombinator.com/item?id=21031266 | | I also predicted a few more controversial things but if you think | it terms of ecosystem and cloud market strategy, then it makes | perfect sense. | inputError wrote: | THANK FUCKING GOD | ezekg wrote: | Sorry, but npm burned me too many times. It is (was?) the worst | package manager I've ever used. Not a fan of npm the company | either. I'm sticking with yarn. | joshiefishbein wrote: | Yarn is majorly only a CLI. It still uses NPM as the source for | most packages. | | The product Github is probably most interested in is NPM as a | repository for packages, not its CLI. | mtkd wrote: | Mid Oct 2009 -- Github ceased gems.github.com to focus on source | control | papito wrote: | You are all Microsoft developers now :) | cjamesd wrote: | Most important question: Will you still be able to see user- | submitted phrases explaining the npm acronym? (See upper left- | hand corner of https://www.npmjs.com/) | ethomson wrote: | Yes, I love those. We'll keep those around for sure. | kyle-rb wrote: | Damn, someone just beat me to "Now Part of Microsoft" | | https://github.com/npm/npm-expansions/pull/2936 | mythz wrote: | Just like GitHub this is a cloud play to make Azure more | appealing by meeting developers where they're at, increase dev | mindshare/reach, hosting their packages, CI Scripts/Actions then | making it seamless to deploy to Azure. | | Smart, have no idea where AWS or GCP's control team are at when | these strategic plays are going down. | Jaxkr wrote: | I honestly think that Google cloud platform will be shut down | within a couple years. It seems like it's losing the war very | badly. | IceWreck wrote: | I am honestly amazed that there is no official way to install | Fedora or Fedora CoreOS on GCP. There are no images even on | the GCP marketplace. | | Stuff like this is what irritates me. Even small vps | providers have this. | rambojazz wrote: | What are they buying, precisely? Open source software? | ryanmccullagh wrote: | Microsoft owns so may day-to-day tools and platforms. LinkedIn, | GitHub, NPM. | pavlov wrote: | Heh, I called this 10 months ago: | | https://news.ycombinator.com/item?id=19838122 | | Somebody replied "Microsoft won't acquire npm for sure." | [deleted] | RuleOfBirds wrote: | Neat contribution! You guessed one thing, someone else guessed | another, but they were wrong, and you were right! Yay on | @pavlov. Boo on them. | pavlov wrote: | A special day. The stock market is down 388% and 142% of | people are predicted to die, but I got Internet karma points | for guessing something right and that's what really counts. | russellbeattie wrote: | I used to be excited when I made predictions like that. Then I | realized that my correct predictions, plus $4.15, would only | get me a Venti Latte at Starbucks. | bbrree66 wrote: | Wow, congrats! You are amazing! I can't believe someone | disagreed with your prediction. | hn_throwaway_99 wrote: | Current me loves this, and I love all the GitHub tools they've | added recently. | | Future "5-10 years down the road" me _knows_ this will suck, | ending up where all concentrated monopolies end up... | hateful wrote: | They could probably save tons just by deduping the npm and github | homepages of every package! | Jaxkr wrote: | This is pretty great. NPM was struggling to monetize and is a | critical part of the JavaScript ecosystem. | collyw wrote: | I hope it's not going to do a left-pad fiasco on everything in | github. | sergiotapia wrote: | I'm not liking the consolidation. Never ends well, ever. Not even | in one case in the history of humanity. | | I'll be switching from Github to other providers for my own | projects, and use a different editor soon (using vscode now). | bepotts wrote: | Gotta respect how Microsoft couldn't build anything the open | source community wanted to work with/on so instead they used | their Windows and Office monopoly to buy everyone's favorite | playgrounds. | mythz wrote: | They should get props for TypeScript & VSCode. | bepotts wrote: | They do and I will give them props for that. But no company | should have as much control over open source that Microsoft | does. | mythz wrote: | They should & deserve to have full control over everything | they've created. | | You can blame AWS/GCP for letting GitHub & npm be acquired, | how many years were they on the open market? | | Most of the $$$ in OSS is being funneled towards rent- | seeking major cloud providers that are hosting OSS | software, whom should all have blank checks with the money | they've reaped so far, but seems only Microsoft has the | strategic savvy to focus on acquiring the obvious targets | for increasing dev mindshare. I don't fault them for their | M&A's, it's just good business. | roguecoder wrote: | It's also not like Amazon is being an amazing open source | citizen; I don't see them acquiring the tech to be an | automatically-better outcome than the current version of | Microsoft doing so. | | IMO this shows the importance of separating technology | from platform. Ideally we would have non-profit groups | with good governance & corporate support (rather than | control) to grow these technologies. If an open source | project can be acquired, it's only so free. | lioeters wrote: | Indeed, these two projects alone have turned around my long- | held opinion on Microsoft, to "cautiously optimistic". | | TypeScript and VS Code have been an invaluable contribution | to the community. I'm a daily user of both and so thankful | for the talent, ingenuity and effort that have gone into | them. | | How Microsoft have managed the acquisition of GitHub, giving | them autonomy and infrastructure support - so far, it's been | all around positive. | | Now with NPM under their wings, the centralization does worry | me somewhat. I hope there are conscientious decision-makers | who will guide the project for the good of community and | ecosystem. | debt wrote: | Thank god. NPM is so crappy it desperately needs institutional | support. | z3t4 wrote: | Was gonna write about all the bad stuff that can happen, but | don't want to give any ideas. Instead I give advice; embrace and | empower, rather then extend and extinguish. | ryanmarsh wrote: | How much did Microsoft pay? What did the founders take away? | | Most people don't know, in these open source acquisitions by for | profits there's money involved and "founders" get an exit. Not | always clear To the public who those are or what they took home | from a mostly volunteer effort. | lioeters wrote: | I too was curious about how much the acquisition cost. | According to TechCrunch: | | > GitHub, the developer repository owned by Microsoft, made a | little deal of its own this morning when it bought JavaScript | packaging vendor npm for _an undisclosed amount_. | | https://techcrunch.com/2020/03/16/github-nabs-javascript-pac... | Phenix88be wrote: | I'm always worried when thing like this happen : | | Critical open source entities are bought by private company. I | understand the need for money and sustainability these entities | need, but it's really a shame that the open source community | doesn't "own" themselves. | Kenji wrote: | You naive idiots. You just sold the keys to the JavaScript | kingdom to Microsoft. | abledon wrote: | what does this mean for yarn? ___________________________________________________________________ (page generated 2020-03-16 23:00 UTC)