GitHub launches package registry service… What about dependencies, asks GitLab?

Gitlab Logo
Gitlab Logo

GitHub has launched a public beta of its Package Registry service, which aims to provide a single place for developers to host and manage the packages that are used to deploy an application, alongside their code.

The move sparked an immediate response from GitLab, which said it already offers much the same capabilities, and claimed it is looking ahead to making package management more secure and auditable for developers by adding the ability to track code dependencies.

GitHub unwrapped GitHub Package Registry, on Friday. It does not replace the familiar package managers that developers are already using, instead supporting Docker images, NPM for JavaScript, Maven, NuGet and RubyGems.

Package Registry integrates with GitHub so that users are able to employ the same search and management tools to find and publish packages as they do in their own repositories, the firm said, and allow them to use a single set of credentials for both code and packages.

Not to be outdone, GitLab says it has been working towards building a single application for the entire DevOps lifecycle for many years now, and has supported integrated packaging since 2016, starting off with a Docker registry but adding Maven and NPM in 2018.

GitHub was famously acquired by Microsoft last year, a move that understandably agitated many in the developer community and reportedly led a number of them to seek an alternative hosting service to stash their code. Since the takeover closed, GitHub has added a host of new features and capabilities, many of them aimed at integrating GitHub more closely with Microsoft’s own developer platforms such as Visual Studio and Azure.

“It is good for users that Microsoft is now innovating with new features for GitHub after the acquisition,” said co-founder and chief executive  Sid Sijbrandij, writing on the GitLab blog.

“GitLab already offers package registries, along with features in all 10 stages of a DevOps lifecycle, including deployment, security, and monitoring. We have seen that customers definitely value the benefits of a single application for DevOps,” he added.

One of the things that GitLab says it is working on is making package management more secure and auditable for developers using packages through the creation of a Dependency Proxy service.

The Dependency Proxy is intended to provide a mechanism for storing and accessing external packages that will enable faster and more reliable builds for developers, but also provide clearer visibility into where external dependencies are being introduced into the supply chain for security analysts, allowing them to set policies and create lists of approved and also banned packages.

It appears that work on GitLab’s Dependency Proxy is currently at an a early stage, and the firm says it will focus first on implementing proxy packages for its Docker registry for on-premises GitLab installations, and will then look at extending support to Maven and NPM.