DEV Community

Peter Kim Frank
Peter Kim Frank Subscriber

Posted on

GitHub announces GitHub Package Registry

GitHub just announced GitHub Package Registry. They set up an info page you can check out: https://github.com/features/package-registry

Follow Tierney Cyren (@bnb) on Twitter to follow along live.


What are your reactions to the announcement?

Top comments (25)

Collapse
 
andy profile image
Andy Zhao (he/him)

I actually have no idea what a package registry is, or what it does. I read this article on Tech Crunch and still am not really sure what it means: techcrunch.com/2019/05/10/github-g...

An "explain like I'm five" would be greatly appreciated! 🙇‍♂️

Collapse
 
yaser profile image
Yaser Al-Najjar • Edited

Let's say you're working in a restaurant...

You, as a chef, don't wanna take the recipes from other chefs and cook it by yourself everytime you wanna create that delicious plate (that needs many recipes).

You would love if you had a kitchen that serves some ready-to-eat commodity food and compose it into your special plate.

Now, the lovely thing about that kitchen is that it keeps old commidity food with labels because some chefs prefer the old taste of that commodity food, and the kitchen is only allowed to enter for the chefs of that restaurant (because you don't wanna share your trade secrets with other restaurants).

Now change the above story wording:

Restaruant = your organization

Chefs = other developers/teams in your organizations

Recipe = package code (raw)

Kitchen = registry

Commodity food = packages (ready to be consumed)

Plate = your app

Labels = versions of those packages (to ensure new version won't affect apps using previous version of that package)

Collapse
 
jckuhl profile image
Jonathan Kuhl

A good analogy and precisely why I'm looking forward to it.

Collapse
 
hellovietduc profile image
Duc Nguyen

So isn't it like npm registry?

Thread Thread
 
yaser profile image
Yaser Al-Najjar

Yes, it is like npm registry...

But, they say it supports all shapes and colors of registries (npm, maven, nuget... etc).

Collapse
 
gypsydave5 profile image
David Wickes

What are your reactions to the announcement?

Collapse
 
rhymes profile image
rhymes

same :D

it seems great for big co's that have private packages shared among teams though!

Collapse
 
cubiclebuddha profile image
Cubicle Buddha

This ^

Collapse
 
elmuerte profile image
Michiel Hendriks • Edited

This will be a enormous fragmented repo world.

As a Java developer I do not see any good reason to move away from Maven Central any time soon.

As for public repos, I do not see any mentions of repo and package integrity. The fact that they allow arbitrary deletion doesn't help in creating trust in these repos.

Collapse
 
florimondmanca profile image
Florimond Manca • Edited

At first I was quite worried that Microsoft would be gaining even more monopoly on the developer workflow, but then I realized that this wouldn’t be competing with existing tools, but only be there as another location from which packages can be downloaded from.

I think for the general public this doesn’t solve any actual problem, because you don’t want your users to have to install your specific package from say registry.github.com instead of registry.npmjs.org (which I think is the default for JavaScript).

For businesses and private enterprise usage however, I can totally see how this would solve the problem of sharing private packages across teams.

In Python in particular, you can specify the registry once and for all in the Pipfile (provided you’re using Pipenv). The default PyPI index is already listed so you just have to swap it for yours, and there you go!

So I guess this is a nice feature that some people may find useful, but that won’t change the way people do open source.

Collapse
 
coreyja profile image
Corey Alexander

After reading the feature page quickly I think one of their big benefits is gonna be for businesses that want to have a private hosted registry.
I know that's something we've wanted before at my company, and I could see us easily adopting this product since it fits into Githubs existing security model.

Not sure I'll use it personally, but if it gains momentum maybe I'll push to this to as a second registry :shrug:

Collapse
 
coreyja profile image
Corey Alexander

So it only took a day for me to realize that I would actually like this personally too 😆

So now I just have to wait patiently for my beta invite!

Collapse
 
glennmen profile image
Glenn Carremans

Very interesting of course! But also not sure what to think of it.
Everything is in one place and easy to manage <-> You are locked in the Github 'ecosystem'

Also wondering if they will support other registries, for example Composer (PHP).

 
yaser profile image
Yaser Al-Najjar • Edited

I'm not familiar with Java tooling, but I read about it and it seems like nexus.

If you're familiar with docker it's like a docker registry.

I think the unique value here is that it's a cloud based solution from the mighty Github.

Thread Thread
 
elmuerte profile image
Michiel Hendriks

Both sonatype (makers of maven, Nexus, and maintainers of central report) and jfrog (makers of artifactory) have cloud based solutions.
But they are mostly not gratis.

Collapse
 
_adrian_e_ profile image
Adrian E. • Edited

Well it's the next step. I like the idea of that. Especially when its integrated directly in pip or npm :)

On pip I could also install private repos. Maybe its more comfortable in the future

pip3 install -U 'git+ssh://git@github.com/...'
Collapse
 
victorb profile image
Victor Bjelkholm

I wrote a direct reply to these news here: dev.to/victorb/the-everlong-quest-...

TLDR: GitHub Package Registry is great, but not enough to make sure we get a solid package registry for the long-term.

Collapse
 
cjbrooks12 profile image
Casey Brooks

I love the idea of having releases strongly tied to actual git commits/ tags. With Actions, I can see a near future where you can verify a given release is exactly what is in the repo. GitHub would know that a given artifact was released from an action and can verify "this artifact was the result of a build on the push of this commit".