GitHub just announced GitHub Package Registry. They set up an info page you can check out: https://github.com/features/package-registry
Follow Tierney Cyren (@bnb) on Twitter to follow along live.
What are your reactions to the announcement?
Latest comments (25)
Well it's the next step. I like the idea of that. Especially when its integrated directly in pip or npm :)
On pip I could also install private repos. Maybe its more comfortable in the future
Will it support php's packagist?
Great! So when Github goes down I can no longer run ‘npm install’. No thank you. There are times when decentralization is a good thing.
We will see how it goes. I think the Docker and Npm registry is a good option.
A really good thing for private registries (particularly for Maven, can't really tell for others), but likely to make things harder for consumers of public artifacts, so public projects should avoid that feature (unless maybe it's coupled with bot to auto-deploy to public central registries)
I wrote a direct reply to these news here: dev.to/victorb/the-everlong-quest-...
TLDR: GitHub Package Registry is great, but not enough to make sure we get a solid package registry for the long-term.
At first I was quite worried that Microsoft would be gaining even more monopoly on the developer workflow, but then I realized that this wouldn’t be competing with existing tools, but only be there as another location from which packages can be downloaded from.
I think for the general public this doesn’t solve any actual problem, because you don’t want your users to have to install your specific package from say registry.github.com instead of registry.npmjs.org (which I think is the default for JavaScript).
For businesses and private enterprise usage however, I can totally see how this would solve the problem of sharing private packages across teams.
In Python in particular, you can specify the registry once and for all in the Pipfile (provided you’re using Pipenv). The default PyPI index is already listed so you just have to swap it for yours, and there you go!
So I guess this is a nice feature that some people may find useful, but that won’t change the way people do open source.
I'm not familiar with Java tooling, but I read about it and it seems like nexus.
If you're familiar with docker it's like a docker registry.
I think the unique value here is that it's a cloud based solution from the mighty Github.
Both sonatype (makers of maven, Nexus, and maintainers of central report) and jfrog (makers of artifactory) have cloud based solutions.
But they are mostly not gratis.
I love the idea of having releases strongly tied to actual git commits/ tags. With Actions, I can see a near future where you can verify a given release is exactly what is in the repo. GitHub would know that a given artifact was released from an action and can verify "this artifact was the result of a build on the push of this commit".
Assuming I understand package registries, I'm not sure what problem GitHub is trying to solve with their own package registry. Is the point of this so that your source code will be on GitHub and the package will also be published there, so it is a "one-stop shop"? Will I still need to use npm's/yarn's CLI for JavaScript, but change where it downloads the packages from? If I understand that correctly, it would seem like a hassle if only some packages I am using are on GitHub's registry, but all of them are on npm's registry. Wouldn't it make sense just to use npm?
Is this more beneficial to enterprise customers that already use GitHub for their code so that they can have their private packages published in GitHub's registry instead of npm Enterprise or setting up and maintaining their own registry?