Note: This post has been updated to reflect current conditions as of June 1, 2021.
We’ve been hearing some confusion in the community about GitHub’s service – GitHub Package Registry. It’s a package management service, available with a GitHub license, that enables developers to publish packages next to their source code. We wanted to set the record straight about what this means to our loyal Artifactory customers and users.
GitHub is a long time partner (and customer) of JFrog, and we see the vision of Liquid Software playing out on their open source collaboration platform.
Their service is a step toward the flow of open source code from the “wild” of GitHub into packages that can be managed by enterprises on their journey to a reliable, safe, and up-to-date production environment.
Packages are among the vital assets of the software lifecycle, so translating OSS software into packages makes them much easier to manage and control. This is essential for enterprises. Now with GitHub packages, we have many more package registry sources (we call them “remote repositories”) closely tied to the source repos, which can be imported, managed, scanned, combined with enterprise software, and pushed to a production environment. We hope this new capability enables enterprises to leverage open source software like never before.
We welcome technologies that make developers more productive, and we’re pleased to see GitHub enter the package management space.
What Can This Package Service Do?
GitHub Package Registry provides users of GitHub a complementary service for packages, alongside their versioned repositories of source code. It will work as either private or public repos and developers can use the same credentials that they use for GitHub. Support for CI is largely achieved through the limited set of GitHub actions.
What’s the difference between GitHub Package Registry and JFrog Artifactory?
This is a great question, so let’s take a quick peek, and then answer some FAQs on GitHub Packages vs. JFrog Artifactory.
GitHub’s support of six package types for open source is a great step in the right direction that will help the world move toward liquid software. It can help improve the chain of trust from source to Artifactory to production for open source components.
But let’s be clear what this is not: It is not a replacement for Artifactory.
It does not provide the traceable, trusted path for all your artifacts necessary for an effective DevOps pipeline. Nor is it even a replacement for centralized repositories like DockerHub, Maven Central, PyPi repo, or npm.
Some Popular Questions
I’m using Artifactory. Is GitHub Package Registry a competitor?
No. GitHub Package Registry is not a competitor to Artifactory, as it does not support many features required of modern binary repositories. While GitHub can manage your open source packages, the remainder of your artifacts is left to you to manage through your pipeline. Artifactory remains your source of truth for binaries, storing build information, promoting builds through test to production, scanning for security, and providing visibility and insight into your builds required for fast, assured software releases.
Does GitHub provide enterprises an on-prem or hybrid solution?
GitHub offers an on-prem option solely through GitHub Enterprise Server, its most comprehensive offering. It can be combined with an Enterprise Cloud account to create a hybrid system through GitHub Connect.
Artifactory offers a more comprehensive set of options, with every license level available both in the cloud and on-prem. JFrog also empowers you to choose your hosting cloud platform from any of the major cloud providers (AWS, GCP, and Azure) or maintain more than one for a multi-cloud DevOps strategy. GitHub hosts all cloud (SaaS) service levels on a single, unspecified cloud platform, making multi-cloud redundancy impossible.
Artifactory has many more capabilities that are critical to both on-prem or hybrid environments. See below for more details.
Does GitHub support all of my packages?
Only six: npm, Docker, Maven, Gradle, NuGet, and RubyGems.
Artifactory is truly universal with support for 30 technologies and counting. This includes repositories for in-demand package types such as pip/twine (for Python), Go modules, Conan (for C/C++), and Cargo (for Rust). Furthermore, Artifactory can host Docker registries that are OCI compliant, and supports repositories for Helm 2 and 3.
Does GitHub integrate with other, third-party tools?
While integrations for GitHub are abundant, integrations for GitHub Packages are limited. Artifactory has a rich catalog of integrations for use with the most widely-used CI/CD servers, IDEs, issue trackers, and other DevOps tools and platforms, Even more integrations are available from our many technology partners.
How does GitHub offer to manage third-party packages?
GitHub is focused on your packages, and they do not offer a clear solution for managing third-party packages. There is no option to proxy other repositories and it is not clear what you should do in order to host third-party packages in your repo.
What does Artifactory do that GitHub doesn’t?
Quite a lot. Here are the top features to keep in mind:
- Universal – Supports 30 packages, many integration options, REST APIs and a powerful query language (AQL).
- Traceability – Provides the buildinfo that allows you to better automate and speed to release.
- Flexibility – Can be deployed on-prem or cloud-hosted (multi-cloud), managed or self-managed, or as part of a hybrid environment.
- Robust – Proxy mode for many sources provides caching for speed and protection against connectivity outage and disaster recovery.
- Security/DevSecOps – JFrog Xray enables you to maintain your developers’ velocity while helping to keep known vulnerabilities out of released software.
- Enterprise-Ready – Support for push/pull replication and high availability, along with a family of complementary products composing the JFrog Platform that enable DevOps on a global scale.
What Should You Do Next?
Artifactory is a mature, industry-standard artifact repository that frees you to choose the tools and platforms you use throughout your pipeline. It empowers startups and global enterprises alike to improve the velocity of development while keeping them safe at the scale they need.
That’s why Artifactory is trusted by millions of users and thousands of customers, including a majority of the Fortune 100 companies. The world’s top brands, such as Linkedin, Facebook, Morgan Stanley, CapitalOne, Cisco, Netflix, Uber, VMware, and Spotify depend on JFrog to manage their binaries for their mission-critical applications.
Who else uses Artifactory? GitHub does, for their internal development.
Artifactory is the key solution that powers the JFrog DevOps Platform, which can drive your end-to-end digital transformation. For more details, see our comprehensive JFrog vs GitHub comparison.
Haven’t experienced Artifactory yet?
Nothing can replace hands-on experience with a free JFrog cloud account. Give Artifactory and the JFrog Platform a full evaluation — for the needs of today, and the DevOps needs of tomorrow.