Tallying Up: Artifactory vs GitHub Packages

GitHub recently announced a new service – GitHub Package Registry. It’s a package management service, currently in limited beta, that enables developers to publish packages next to their source code. We’ve heard some confusion in the community, so we wanted to set the record straight about what this announcement means to our loyal Artifactory customers.

GitHub is a long time partner (and customer) of JFrog, and we see the vision of Liquid Software playing out on their open source collaboration platform.

This announcement is a step toward the flow of open source code from the “wild” of GitHub into packages that can be managed by enterprises on their journey to a reliable, safe, and up-to-date production environment. Packages are the true asset of the software lifecycle, so translating OSS software into packages makes them much easier to manage and control. This is essential for enterprises. Now with GitHub packages, we have many more package registry sources (we call them “remote repositories”) closely tied to the source repos, which can be imported, managed, scanned, combined with enterprise software, and pushed to a production environment. We hope this new capability enables enterprises to leverage open source software like never before.

We welcome technologies that make developers more productive, and we’re pleased to see GitHub enter the package management space we’ve spearheaded since 2008.

What is GitHub Package Management?

GitHub Package Registry provides users of GitHub a complementary service for packages, alongside their versioned repositories of source code. It will work both in private and public repo and developers can use the same credentials. Support for CI is achieved through GitHub actions.

What’s the difference between GitHub Package Registry and JFrog Artifactory?

This is a great question, so let’s take a quick peek, and then answer some FAQs on GitHub Packages vs. JFrog Artifactory.

GitHub’s support of six package types for open source is a great step in the right direction that will help the world move toward liquid software. It can help improve the chain of trust from source to Artifactory to production for open source components. But let’s make clear what this is not: It is not a replacement for Artifactory. It does not provide the traceable, trusted path for all your artifacts necessary for an effective DevOps pipeline. Nor is it even a replacement for centralized repositories like GoCenter, JCenter, npm, or Maven Central.

Some popular questions

I’m using Artifactory. Is GitHub Package Registry a competitor?

No. GitHub Package Registry is not a competitor to Artifactory, as it does not support many features required of modern binary repositories. Artifactory remains your source of truth for binaries, storing build information, promoting builds through test to production, scanning for security, and providing the visibility and insight into your builds required for fast, assured software releases. GitHub can manage some of your open source packages, the remainder of your artifacts are left to you to manage through your pipeline.

Does GitHub Package Registry provide enterprises an on-prem or hybrid solution?

No. GitHub is not offering any known on-prem options for packages. Their current capabilities are more similar to SourceForge than Artifactory. Artifactory has many more capabilities that are critical to both on-prem or hybrid environments. See below for more details.

Does GitHub support all of my packages?

Only six: npm, Docker, Maven, NuGet, RubyGems, and Swift.
Artifactory is truly universal with support for 25 technologies and counting.

Does GitHub Package Registry integrate with other, third-party tools?

Integrations are limited, while Artifactory has a rich catalog of integrations for use with the most widely-used CI/CD servers, IDEs, issue trackers, and other DevOps tools and platforms, Even more integrations are available from our many technology partners.

How does GitHub Package Registry offer to manage third-party packages?

The GitHub Package Registry is focused on your packages, and they do not offer a clear solution for managing third-party packages. There is no option to proxy other repositories and it is not clear what you should do in order to host third-party packages in your repo.

What does Artifactory do that GitHub Package Registry doesn’t?

Quite a lot. Here are the top features to keep in mind:

  1. Universal – Supports 25 packages, many integrations options, REST APIs and a powerful query language (AQL).
  2. Traceability – Provides the buildinfo that allows you to better automate and speed to release.
  3. Flexible – Can be deployed on-prem or cloud-hosted, managed or self-managed, or as part of a  hybrid environment.
  4. Robust – Proxy mode for many sources provides caching for speed and protection against connectivity outage and disaster recovery.
  5. SecurityJFrog Xray helps enable DevSecOps, so you can maintain your developers’ velocity while helping to keep known vulnerabilities out of released software.
  6. Enterprise-Ready – Support for push/pull replication and high availability, along with a family of complementary products composing the JFrog Enterprise+ Platform that enable DevOps on a global scale.

What should you do next?

Artifactory is a mature, industry-standard artifact repository manager that frees you to choose the tools and platforms you use throughout your pipeline. It empowers startups and global enterprises alike to improve the velocity of development while keeping them safe at the scale they need.

That’s why Artifactory is trusted by more than 5,000 customersincluding 70% of the Fortune 100. The world’s top brands, such as Amazon, Facebook, Google, Netflix, Uber, VMware, and Spotify depend on JFrog to manage their binaries for their mission-critical applications.

Who else uses Artifactory? GitHub does, for their internal development.

Haven’t experienced Artifactory yet?

Nothing can replace a free hands-on trial. Give Artifactory a full evaluation  — for the DevOps needs of today, and the needs of tomorrow.