It's not accurate to say that Fastly is hosting the registry; Fastly are providing CDN services to our registry -- a globally distributed cache -- for which we're very grateful.
As for the download counts, per Twitter ( https://twitter.com/npmjs/status/422823647619710976 ), we removed the download counts because our original solution for those counts (keeping them in CouchDB) wasn't scaling. I am literally, as we speak, working on the replacement system to restore download counts.
And Isaac's LinkedIn title is a joke. I hope that's obvious.
thanks for answering the questions. i depend on node at my day job, so i am particularly interested in npm's future.
i understand someone has to pay for the servers and development time, but would it be possible to give a hint for the types of things you plan to charge for? Even just a rough sketch of "we will offer private repositories" or "we will offer support." I appreciate the "reassurances" that nothing will change today for me, but the ambiguity prevents my latent paranoia from going away.
I appreciate your paranoia :-) We are wary of announcing all the stuff we're planning given that we don't know how long it will take to build yet and don't want to be accused of vaporware. However, we are planning to announce at least our initial product plans pretty soon. (Probably not in a comment on a HN thread though ;-))
I just want to say that I would gladly pay for private npm hosting. Something along the lines of github's private vs public repos would be extremely valuable. Yes, we could set up our own private npm server, but this seems like an obvious thing to outsource to a service as long as the pricing is not crazy. Best of luck!
We've been using Gemfury[1] for our private modules which has worked out well, no problems in over a year of use.. though I'd probably switch over to npm if they offered private hosting.
(Pssst... hey kid... c'mere a minute. Tell ya somethin'. Ya wanna sell stuff? Then stfu about yer junk. Cuz... <tch> seriously? NO body wants to hear that shit. Know whutta mean? Jus' sayin'...)
And, I hate to tell ya this, but... <ahem>... that guy's title... if it is, as you say, "a joke"... it sure ain't the biggest one.
But, ya don't have to take MY word for it. Life is a great educator. Bit heavy-handed at times, but... you guys'll find that out. Have at it, kid. Take yer best shot.
Hope ya got a 'Plan B'.
One thing I'm a tad annoyed by - this deal was being put together simultaneously with the "scalenpm" crowdfunding drive. A shoutout to the supporters of that drive would have been nice...
Quite true. Even though I didn't donate, I wonder why they went for crowdfunding while they were going raising VC funding. I would expect (partial) refunds.
This is a common confusion. The scalenpm crowdfunding was done by the good folks who ran the npm servers for free (mostly nodejitsu) up until the recent switchover to the new infrastructure with Npm, Inc.
You can still use the nodejitsu registry for free if you'd like[1]. They arent likely to need as much scaling anymore, but there's still a big cost to running those servers. I don't think there was any foul play when it comes to the scalenpm money as I'm fairly sure they were not aware of the intent for Npm, Inc to take over default hosting.
tl;dr the money did not go to the same people, and the people who crowd funded thought they'd still be hosting npm going forward at the time.
> as I'm fairly sure they were not aware of the intent for Npm, Inc to take over default hosting.
I did tell Charlie in November about my intent to take over the registry in Q1 of 2014, if it proved economically feasible. The raise helped accomplish that, for sure, but so did a massive restructuring that means it requires much less resources.
Does this actually make it any better, though? I mean presumably the people who took part in the crowdfunding also assumed they were contributing to the long term hosting costs of npm and the success of the platform itself.
I don't believe they had much say in the change. They are still using the money to do what they said they'd do in their campaign, and many people are setting up their registry as their default. As far as I know they just got caught in a situation that was less than ideal (while also getting rid of some financial burden). I think they deserve an applause for running it at high cost to their business for free for years rather than be villainized because they got caught in a situation that they weren't in control of. If you donated, or are worried about what Npm, Inc. is doing (hint: so silly to feel this way) you should set your default registry to theirs (it's already set as your failover, btw).
The cynicism in this thread is so bizarre to me. No one is being evil. There's no secret foul play. Everyone go write modules and share them and be happy.
Yea. This is really odd. What in the world is going on? Since when is a package manager something you can monetize? I knew about the plans to monetize node, but didn't realize it was going to involve mucking around with npm. This is concerning.
enterprises want to 1) publish their own private packages in an overlay to the public packages and 2) block unvetted packages. there is a business opportunity in providing that to them.
It's also kind of funny that Meteor.JS by contrast got $11.2m in funding. And NPM the underpinning technology which has further reaching economic benefits only receives $2.6m. I know it's a bit apple and oranges, but four times the value? The valuation of software is surrealism.
I understand the fact that it can be fairly expensive to run a large, popular module site such as npm and rubygems. What I'm curious about is how they intend to monetize npm, and how it affect users, if it does. Typically, VCs hope to get a return on their investment.
>The future is large, but I can pretty much guarantee that paying for access to open source modules is not ever going to happen. Not because it's evil (though, I believe is), but because it's stupid. It's just not a good model, and it's not hard to see why. No one wants to pay it, and rather than deliver value, you're making people go elsewhere. It is a case of the orchard selling lumber, burning down your value in order to get a short-term gain that can never expand.
>Many companies have been literally begging for me to figure out a way to take their money and add some features to npm. None of this impacts what any of you are currently doing, and in fact, it helps you, because it requires building additional high-availability systems that are robust enough for the next 10x increase we face.
>Like I said, all that is currently free will remain free, and all that is currently flaky will improve. There'll be some new stuff you can pay for if you want to use it, but if you're happy with the current status quo, you can just take it easy and maybe eventually get a job where you use npm for work stuff also :)
- Isaac Schlueter
Makes sense. One obvious power feature, that not only doesn't affect normal users, and would be well worth the money, is a locked down priority server. With npm being an open registry, any author can overwrite any release at any time. I don't want that possibility to happen on production, so if they provided a server with the versions you are using frozen from the general community, I would be interested in that.
You can specify what version you want.
That doesn't necessarily imply that version will continue to be available.
Ruby has the same problem with "yanked" versions of gems.
Stats in general seem like a pretty horrible monetization strategy considering the other obvious routes that would not be met with service-killing scorn. I would be shocked if the first option was not the route they take, with the second possibly coming later.
The messaging so far is that they don't intend for anything to change for typical users of npm, and that they'll make money with stuff like enterprise-level support. But I think it's still a bit in the air.
GitHub is another example of a company that caters to the open source community while still having a business plan.
Right now npm is at the core of every project using node.js, and businesses have more complex needs than open source projects. One such need would be having a private registry. You don't want to have your production build chain depending on packages that could be replaced by the author at any point in time. The current wisdom if you want protection from that is to run your own npm server, but why do that when you can just have the guys that do this exclusively do it for you?
This makes sense because there are business needs that don't overlap much with the open source world that they can sell, the same way GitHub does. GitHub was successful because they got the programming world using them for their open source projects, and after dominating over that market, those programmers took the service and recommended it to their employers, because that was the tool everyone was using.
Npm falls in the same business area, where the programming community is already using them, and businesses have other needs from them, that they currently cannot provide.
It would be nice for npm to put up a monetization blog post to clear up the confusion.
Enterprise offerings (support levels, private repositories, etc.) seem to be the most obvious. I could see many companies being interesting in an npm-style infrastructure for their non-OSS modules. Overall, this is interesting and will set a precedent going forward.
Privately run 'open source' code repositories are not what the open web should run on.
I would say that this marks the beginning of the end for npm as anything viable for front-end code repositories and probably for anything related to node.
I propose an open-source alternative for front-end JavaScript libraries and dependency management.
Anyone calling for npm modules and browserify to rule the day for front-end JS should question their opinions on the matter.
I don't know. I think it's fine if a private company that is maintaing the registry also wants to monetize parts of it. They are after all expending considerable effort and resources, and they're doing nothing to stop others from hosting registries.
What would be nice is decentralization — because these registries are so similar to link shorteners I am wondering what a peer to peer registry system would look like a la DNS...
I'm kept wondering how the whole npm structure will look like. At the bottom of npmjs.org it states: 'Powered by Joyent', but Nodejitsu ran the 'Scale npm' donation campaign to get funds to scale the public npm registry. But Nodejitsu acquired IrisCouch and now offers private npm services.
And now izs starts a new company npm inc. that will, well, who knows. But he's former Joyent who power npm, so will running npm transfer to npm inc.? But how does Nodejitsu or the 300K that they raised with their campaign fit into this picture?
I wrote the original version of the npm registry in a day or two on top of CouchDB. I built it quickly and didn't think much about scale.
Isaacs continued to improve and maintain that code. At one point he even wrote up an open standard for generic js package registries for CommonJS but they didn't seem to care (they were too busy arguing about promises).
At the time I wrote the initial code I was employed at CouchOne and we had a small CouchDB hosting platform operated by Jason Smith which is where we ran the registry free of charge. Later on, after CouchOne was aquired by Membase and became Couchbase, it decided to break off the hosting company and give/sell it to Jason Smith, which became IrisCouch.
IrisCouch continued to run the registry for free for several years. They had no venture funding and limited resources but they provided this service for our community anyway. They announced a product for enterprise (hosted) NPM but as far as I know it wasn't really marketed or sold. Last year IrisCouch was acquired by Nodejitsu.
Nodejitsu continued to host the registry for free. Some time last year the infrastructure hit a breaking point, mostly around CouchDB. Remember, I wrote this in a weekend when less than a hundred node packages existed. Many of the semantics from me and Isaacs' initial "prototype" persisted until just a few weeks ago. For instance, this single database held all the package binaries, for every version of a package, attached to the document for that package.
Once the registry started to have serious stability issues a few things happened. Isaacs started to work on ways to improve the reliability by changing how the registry worked and Nodejitsu sought community support for keeping the current registry up. At some point Isaacs also decided it would be best if he worked on NPM full time and built NPM Inc.
In the early days we weren't thinking about 58K modules, that was just crazy, we were just figuring out the simplest way to store a couple packages the node community was writing. Since founding this company Isaacs has already managed to re-write the way the registry works to fit the kind of load we have now.
Nodejitsu is now free of the financial burden that was dragging them down as well and Isaacs' new infrastructure can keep the registry up more cheaply than the previous system and more reliably.
1. Why are people happy about this? They did a crowd funding round taking common people's money, gave them squat, then took Investor money and gave them a share. (Would make me mad if I was part of the crowd)
2. What is the business model? In what world does PIP or any other package manager have a revenue stream? Ads? Spyware? There are no good models for this.
3. Does anyone else think that having a company title of Supreme Emporer is a sign that this is not a founder focused on community?
I'd say we bounce and use something else, but I did that a long time ago, so I can only suggest everybody else make like an external node. (a leaf ;-) )
Exactly. Which is why I am actively gearing up to switch to Dart and (back to) Python as soon as is even painfully feasible. I am also sick to death of all the socio-political posturing and other narcisspewage surrounding the so-called node/npm "culture".
Is funding better or worse than corporate sponsorship? The most successful (depending on your metric of course) projects have been backed by corporate dollars. Also, not every project can be a Go or Angular with a multi-billion dollar company behind it.
All of the CPAN mirrors are paid for by somebody. Nothing's free; money is in the equation at some point.
Of course, that's a different model than VC funding. However, you're intimating that NPM isn't "real" with your last statement. The project has run for several years now. This isn't some project that came out of the chute with funding (such as Meteor).
Similar model is GitHub: long-running project/organization, took VC after a few years. In the time since they took the VC, have they become corrupted? Are they not a real community?
The difference is in the goal. Donated/sponsored dollars don't expect to get dollars back. VC invested dollars expects invested_dollars * multiple in return.
It really depends on what rights izs has in the case there are differences of opinion between him and where the VCs want to go.
Let's be honest here, 92% of commits were made by izs, npm is izs and izs is npm. The two are inseparable. Without izs, any real development of npm would slow to a crawl, until someone else familiar with the codebase takes ownership.
I know izs personally and he is a stand up guy and a lot of the negative comments about him selling out in this thread are completely unjustified, especially without knowing more details about the rights he has relative to the contract he has with npm, inc. as its CEO.
If push comes to shove and izs disagrees with the direction the VCs push company after later rounds of funding where izs and the other founders lose control, does he still have the right to split off from the company and continue supporting npm the open source project independent of npm, inc., including taking it in a direction contrary to the goals of npm, inc.? If the answer is no, then there is risk that the community has plenty of time to mitigate if we really care about keeping npm as a public good. The risk is that we lose the most valuable person to this project because he can't work on it anymore.
That being said, the license information on the npm github repo shows that the most valuable assets are owned by izs and not this new company. He owns the trademarks "npm", "the npm registry" and the copyright on the npm codebase. npm, inc. does not own these things. I assume that he, the individual, licenses rights to the npm name to npm, inc. With all this in mind, does he have a non-compete clause that would prevent him from supporting npm if, for whatever reason, he splits off from npm, inc. If there are no legal restrictions on his rights to contribute/maintain, I'd say the risks are much lower than we thing.
At the end of the day, if people in the community really feel strongly about all this, the best thing they can does is start building equity around a different trademarks other than "npm" and the "the npm registry". Those are the two most important assets and given that the codebase is licensed as Artistic License v2, the name of any fork in the future would have to change its name even if the trademarks were unprotectable.
If all this bothers you, do the work to build a community fork of npm with a different name (and give ownership of the trademarks to the community), maintain feature parity and compatibility with npm and maintain registry mirrors for this community version. Add to this community fork a dual publish feature that simultaneously publishes modules to npm, inc. controlled registry servers and community maintained ones. This is the best insurance policy the community can have.
Either put your time where your mouth is and start working on a community fork that lives peacefully in parallel or quit whining and especially quit criticizing izs. izs has contributed an incredible amount of time to the needs of the community and has more than earned the goodwill and benefit of the doubt. If npm, inc. one day starts doing something truly anti-community, that is the time to cry foul, not now.
I think the major problem here is just poor branding.
npm can refer to any number of things. It can refer to the client, the server, the hosting provider, the public package registry, and now npm Inc. They all sound like the same thing but they're all actually different.
Contrast this to Github. Github is a service that provides hosting, a public registry, and tools for git. Nobody complains about Github controlling git, because they're obviously separate things. Most people don't know that npm the registry is different from npm the software and that you can even host your own server.
I think they'll mostly be a consulting company for enterprise solutions to companies with hundreds of node.js projects going on that need a complex package management solution that npm inc. can provide.
Going to be watching Nginx and other deals very closely as far as their long-term health.
I could take a giggly pot-shot at web development in general by proposing that they want to monetize node.js via a browser-base service to live one's entire developer life, but I'm in serious agreement with others' concerns that there's something ultimately harmful in VC money getting confused, panicky, and deciding to GSM (Google Mobile Services) the licensing of new code or come up with some ridiculous contributor licensing agreement like what I'm hearing about Ubuntu.
Take heed, FOSS communities don't negotiate except on an endless table that runs from one side of the universe to the other.
Soon there will be a new node.js package manager to compete with npm but it will be supported by a non-profit foundation rather than a private profit-driven company.
This npm inc. is one of the dumbest startup ideas that I have ever come across. Kudos to the founders for managing to hack the VCs, but VCs that dumb ain't gonna be around for long.
I'm a huge fan of Node.js, but I'm getting an uneasy feeling about all the different changes and things happening. I still haven't made up my mind if it's a justified feeling or not.
So... someone enlighten me here; why does a project like npm need funding at all? If projects like GCC, which are far more complex, can subsist via contributions and donations alone, so what makes npm, a package manager, different?
Canonical hosts packages for Ubuntu, and they pay for that by charging for other services. Free packages means more people using Ubuntu means more people seeking enterprise support.
There is always funding for everything that lives. Even if you're hosting something for "free" yourself, your job is the funding.
Examples (genuinely curious)? In my casual experience, it seems to be easier to use than gems or pip and has much larger ecosystem than anything else I have tried, which is the #1 selling point of a package manager IMHO. A good package manager (by my standards) should have:
1. super easy publishing
2. A package for practically everything you can think of and if not, see #1
3. Most of the market share for its particular language so that you can be reasonably sure a particular module maintainer has an up to date package
Back in July he must've seen this coming because he switched the npm license from MIT to the more restrictive Artistic 2.0: https://github.com/npm/npm/commit/c32391b1efd70a861cebc77e0c...
He's already taken away the download numbers on npmjs.org, so maybe he intends to sell the "analytics" back to the community.
The guy calls himself a Supreme Emporer on his LinkedIn.