GitHub nabs JavaScript packaging vendor npm

GitHub, the developer repository owned by Microsoft, made a little deal of its own this morning when it bought JavaScript packaging vendor npm for an undisclosed amount.

As GitHub CEO Nate Friedman wrote in a blog post announcing the deal, npm is a big deal in the JavaScript community. The company is the commercial entity behind the Node package manager, the npm Registry and npm CLI.

“npm is a critical part of the JavaScript world. The work of the npm team over the last 10 years, and the contributions of hundreds of thousands of open source developers and maintainers, have made npm home to over 1.3 million packages with 75 billion downloads a month,” Friedman wrote.

As though anticipating developer angst about the change in ownership, Friedman promised that users would not notice a difference. “For the millions of developers who use the public npm registry every day, npm will always be available and always be free,” Friedman wrote.

He also promised to update the infrastructure behind the tool, improve the experience and keep up communication with the npm community. What’s more, he said the company would incorporate the npm tech into the GitHub platform.

“Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it,” he wrote.

But it’s not just the free version, of course. There is a core group of paying customers too, and Friedman indicated GitHub would continue to support them.

He also stated that later this year when the registry is integrated more fully into the GitHub platform, paying customers would be able to convert their private npm packages to GitHub packages.

npm was founded in 2014, and raised almost $19 million on a $48 million post valuation, according to Pitchbook data.

Deviceplane wants to bring over-the-air updates to Linux edge devices

Deviceplane, a member of the Y Combinator Winter 2020 class is developing an open source toolset to manage, monitor and update Linux devices running at the edge,

“We solve the hard infrastructure problems that all these companies face including network conductivity, SSH access, orchestrating and deployment of remote updates, hosting, application monitoring and access and security controls. It’s 100% open source, available under an Apache License. You can either host it yourself or you can run on the hosted version,” company founder and CEO Josh Curl told TechCrunch.

He could see this working with a variety of hardware including robotics, consumer appliances, drones, autonomous vehicles and medical devices.

Curl, who has a background in software engineering, was drawn to this problem and found that most companies were going with home-grown solutions. He said once he studied the issue, he found that the set of infrastructure resources required to manage, monitor and update these devices didn’t change that much across industries.

The over-the-air updates are a big part of keeping these devices secure, a major concern with edge devices. “Security is challenging, and one of the core tenets of security is just the ability to update things. So if you as a company are hesitant to update because you’re afraid that things are going to break, or you don’t have a proper infrastructure to do those upgrades, that makes you more hesitant to do upgrades, and it slows down development velocity,” Curl said.

Customers can connect to the Deviceplane API via WiFi, cellular or ethernet. If you’re worried about someone tapping into that, Curl says the software assigns the device a unique identity that is difficult to spoof.

“Devices are assigned an identity in Deviceplane and this identity is what authorizes it to make API calls to Deviceplane. The access key for this identity is stored only on the device, which makes it impossible for someone else to spoof this device without physical access to it.

“Even if someone were able to spoof this identity, they would not be able to deploy malicious code to the spoofed device. Devices never have access to control what software they’re running — this is something that can be done only by the developer pushing out updates to devices,” Curl explained.

The company intends to offer both the hosted version and installed versions of the software as open source, something that he considers key. He hopes to make money supporting companies with more complex installations, but he believes that by offering the software as open source, it will drive developer interest and help build a community around the project.

As for joining YC, Curl said he has friends that had been through the program in the past, and had recommended he join as well. Curl sees being part of the cohort as a way to build his business. “We were excited to be tapping into the YC network — and then being able to tap into that network in the future. I think that YC has funded many companies in the past that can be DevicePlane customers, and that can accelerate going forward.”

Curl wasn’t ready to share download numbers just yet, but it’s still an early stage startup looking  to build the company. It’s using an open source model to drive interest, while helping solve a sticky problem.

Where top VCs are investing in open source and dev tools (Part 2 of 2)

In part two of a survey that asks top VCs about exciting opportunities in open source and dev tools, we dig into responses from 10 leading open-source-focused investors at firms that span early to growth stage across software-specific firms, corporate venture arms and prominent generalist firms.

In the conclusion to our survey, we’ll hear from:

These responses have been edited for clarity and length.

Where top VCs are investing in open source and dev tools (Part 1 of 2)

The once-polarizing world of open-source software has recently become one of the hotter destinations for VCs.

As the popularity of open source increases among organizations and developers, startups in the space have reached new heights and monstrous valuations.

Over the past several years, we’ve seen surging open-source companies like Databricks reach unicorn status, as well as VCs who cashed out behind a serious number of exits involving open-source and dev tool companies, deals like IBM’s Red Hat acquisition or Elastic’s late-2018 IPO. Last year, the exit spree continued with transactions like F5 Networks’ acquisition of NGINX and a number of high-profile acquisitions from mainstays like Microsoft and GitHub.

Similarly, venture investment in new startups in the space has continued to swell. More investors are taking shots at finding the next big payout, with annual invested capital in open-source and dev tool startups increasing at a roughly 10% compounded annual growth rate (CAGR) over the last five years, according to data from Crunchbase. Furthermore, attractive returns in the space seem to be adding more fuel to the fire, as open-source and dev tool startups saw more than $2 billion invested in the space in 2019 alone, per Crunchbase data.

As we close out another strong year for innovation and venture investing in the sector, we asked 18 of the top open-source-focused VCs who work at firms spanning early to growth stages to share what’s exciting them most and where they see opportunities. For purposes of length and clarity, responses have been edited and split (in no particular order) into part one and part two of this survey. In part one of our survey, we hear from:

HPE acquires cloud native security startup Scytale

HPE announced today that it has acquired Scytale, a cloud native security startup that is built on the open-source Secure Production Identity Framework for Everyone (SPIFFE) protocol. The companies did not share the acquisition price.

Specifically, Scytale looks at application-to-application identity and access management, something that is increasingly important as more transactions take place between applications without any human intervention. It’s imperative that the application knows it’s OK to share information with the other application.

This is an area that HPE wants to expand into, Dave Husak, HPE fellow and GM of cloudless initiative wrote in a blog post announcing the acquisition. “As HPE progresses into this next chapter, delivering on our differentiated, edge to cloud platform as-a-service strategy, security will continue to play a fundamental role. We recognize that every organization that operates in a hybrid, multi-cloud environment requires 100% secure, zero trust systems, that can dynamically identify and authenticate data and applications in real-time,” Husak wrote.

He also was careful to stress that HPE would continue to be good stewards of the SPIFFE and SPIRE (the SPIFFE Runtime Environment) projects, both of which are under the auspices of the Cloud Native Computing Foundation.

Scytale co-founder Sunil James, writing in a blog post about the deal, indicated that this was important to the founders that HPE respect the startup’s open-source roots. “Scytale’s DNA is security, distributed systems, and open-source. Under HPE, Scytale will continue to help steward SPIFFE. Our ever-growing and vocal community will lead us. We’ll toil to maintain this transparent and vendor-neutral project, which will be fundamental in HPE’s plans to deliver a dynamic, open, and secure edge-to-cloud platform,” he wrote.

Scytale was founded in 2017 and had raised $8 million, according to PitchBook data. The bulk of that was in a $5 million Series A last March led by Bessemer. The deal closed today.

Hyperledger Fabric, the open source distributed ledger, reaches release 2.0

The open source Hyperledger Foundation announced the release of Hyperledger Fabric 2.0 today, the first such project to reach a 2.0 release.

It’s a notable milestone. The blockchain as a business tool has certainly had a rocky road over the last few years, but there is still plenty to like about smart contracts that have automated compliance checks built in. Hyperledger Fabric 2.0 has lots of new features with that in mind.

The biggest updates involve forcing agreement among the parties before any new data can be added to the ledger, known as decentralized governance of the smart contracts. In practice, it means that the system will prevent any entity from writing to the ledger until there is consensus among the parties involved in the transaction, a basic blockchain tenet.

This is a requirement because the beauty and the curse of the distributed ledger is that it is an immutable record. Once you have written something in the ledger, it becomes very difficult to change it without the agreement of all those involved in the contract. You want to make sure you get it right before you commit something to the ledger.

Along those same lines, developers can build in automated checks along the way. As they say, this ensures the parties can “validate additional information before endorsing a transaction proposal.”

Brian Behlendorf, Executive Director at Hyperledger and a big advocate of open source distributed ledger technology, says this is a big milestone for the project and the organization as it looks to help organizations adopt distributed ledger technology.

“Fabric 2.0 is a new generation framework developed by and for the enterprises that are building distributed ledger capabilities into the core of their businesses. This new release reflects both the development and deployment experience of the Fabric community and confirms the arrival of the production era for enterprise blockchain,” Behlendorf said in a statement.

That remains to be seen. The rise of blockchain in business has moved at a slow pace, but this release shows that the open source community is still committed to building enterprise-grade distributed ledger technology. Today’s announcement is another step in that direction.

Cortex Labs helps data scientists deploy machine learning models in the cloud

It’s one thing to develop a working machine learning model, it’s another to put it to work in an application. Cortex Labs is an early stage startup with some open source tooling designed to help data scientists take that last step.

The company’s founders were students at Berkeley when they observed that one of the problems around creating machine learning models was finding a way to deploy them. While there was a lot of open source tooling available, data scientists are not experts in infrastructure.

CEO Omer Spillinger says that infrastructure was something the four members of the founding team — himself, CTO David Eliahu, head of engineering Vishal Bollu and head of growth Caleb Kaiser — understood well.

What the four founders did was take a set of open source tools and combine them with AWS services to provide a way to deploy models more easily. “We take open source tools like TensorFlow, Kubernetes and Docker and we combine them with AWS services like CloudWatch, EKS (Amazon’s flavor of Kubernetes) and S3 to basically give one API for developers to deploy their models,” Spillinger explained.

He says that a data scientist starts by uploading an exported model file to S3 cloud storage. “Then we pull it, containerize it and deploy it on Kubernetes behind the scenes. We automatically scale the workload and automatically switch you to GPUs if it’s compute intensive. We stream logs and expose [the model] to the web. We help you manage security around that, stuff like that,” he said

While he acknowledges this not unlike Amazon SageMaker, the company’s long-term goal is to support all of the major cloud platforms. SageMaker of course only works on the Amazon cloud, while Cortex will eventually work on any cloud. In fact, Spillinger says that the biggest feature request they’ve gotten to this point, is to support Google Cloud. He says that and support for Microsoft Azure are on the road map.

The Cortex founders have been keeping their head above water while they wait for a commercial product with the help of an $888,888 seed round from Engineering Capital in 2018. If you’re wondering about that oddly specific number, it’s partly an inside joke — Spillinger’s birthday is August 8th — and partly a number arrived at to make the valuation work, he said.

For now, the company is offering the open source tools, and building a community of developers and data scientists. Eventually, it wants to monetize by building a cloud service for companies who don’t want to manage clusters — but that is down the road, Spillinger said.

Snyk snags $150M investment as its valuation surpasses $1B

Snyk, the company that wants to help developers secure their code as part of the development process, announced a $150 million investment today. The company indicated the investment brings its valuation to over $1 billion (although it did not share the exact figure).

Today’s round was led by Stripes, a New York City investment firm with Coatue, Tiger Global, BoldStart,Trend Forward, Amity and Salesforce Ventures also participating. The company reports it has now raised over $250 million.

The idea behind Snyk is to fit security firmly in the development process. Rather than offloading it to a separate team, something that can slow down a continuous development environment, Snyk builds in security as part of the code commit.

The company offers an open source tool helps developers find open source vulnerabilities when they commit their code to GitHub, Bitbucket, GitLab or any CI/CD tool. It has built up a community of over 400,000 developers with this approach.

Snyk makes money with a container security product, and by making the underlying vulnerability database they use in the open source product available to companies as a commercial product.

CEO Peter McKay, who came on board last year as the company was making a move to expand into the enterprise, says the open source product drives the revenue-producing products and helped attract this kind of investment. “Getting to [today’s] funding round was the momentum in the open source model from the community to freemium to [land] and expand — and that’s where we are today,” he told TechCrunch.

He said that the company wasn’t looking for this money, but investors came knocking and gave them a good offer, based on Snyk’s growing market momentum. “Investors said we want to take advantage of the market, and we want to make sure you can invest the way you want to invest and take advantage of what we all believe is this very large opportunity,” McKay said.

In fact, the company has been raising money at a rapid rate since it came out of the gate in 2016 with a $3 million seed round. A $7 million Series A and $22 million Series B followed in 2018 with a $70 million Series C last fall.

The company reports over 4X revenue growth in 2019 (without giving exact revenue figures), and some major customer wins including the likes of Google, Intuit, Nordstrom and Salesforce. It’s worth noting that Salesforce thought enough of the company that it also invested in this round through its Salesforce Ventures investment arm.

Anybody can now make HomeKit accessories

Apple has released an open-source version of the HomeKit Accessory Development Kit. You can now fork it on Github and play around with it to integrate smart home devices in the Home app and beyond.

Today’s news is related to the Connected Home over IP effort, an industry-wide effort to build an open-source standard for the internet of things. Essentially, Apple, Amazon, Google, the Zigbee Alliance and smart home manufacturers want to work together so that accessories work everywhere.

HomeKit is lagging behind. While Apple arrived early in the connected home space. A ton of accessories now work with Amazon Alexa and Google Assistant, but you can control very few accessories with Siri as HomeKit adoption has been slow.

By open-sourcing HomeKit, Apple hopes that more smart home manufacturers will try to integrate HomeKit in their prototypes. Everything has been released under the Apache 2.0 license.

As Next INpact noticed, if you want to release a HomeKit-compatible accessory, you still have to work with Apple to get a certification. And of course, manufacturers that work with Apple directly could potentially access unreleased features before they’re unveiled at WWDC.

Developers have already reverse-engineered HomeKit to add HomeKit compatibility to more devices with the Homebridge project. Now let’s see if it leads to more cool projects to make it easier to control your connected objects from your iPhone, iPad and other Apple devices.

Making sense of a multi-cloud, hybrid world at KubeCon

More than 12,000 attendees gathered this week in San Diego to discuss all things containers, Kubernetes and cloud-native at KubeCon.

Kubernetes, the container orchestration tool, turned five this year, and the technology appears to be reaching a maturity phase where it accelerates beyond early adopters to reach a more mainstream group of larger business users.

That’s not to say that there isn’t plenty of work to be done, or that most enterprise companies have completely bought in, but it’s clearly reached a point where containerization is on the table. If you think about it, the whole cloud-native ethos makes sense for the current state of computing and how large companies tend to operate.

If this week’s conference showed us anything, it’s an acknowledgment that it’s a multi-cloud, hybrid world. That means most companies are working with multiple public cloud vendors, while managing a hybrid environment that includes those vendors — as well as existing legacy tools that are probably still on-premises — and they want a single way to manage all of this.

The promise of Kubernetes and cloud-native technologies, in general, is that it gives these companies a way to thread this particular needle, or at least that’s the theory.

Kubernetes to the rescue

Photo: Ron Miller/TechCrunch

If you were to look at the Kubernetes hype cycle, we are probably right about at the peak where many think Kubernetes can solve every computing problem they might have. That’s probably asking too much, but cloud-native approaches have a lot of promise.

Craig McLuckie, VP of R&D for cloud-native apps at VMware, was one of the original developers of Kubernetes at Google in 2014. VMware thought enough of the importance of cloud-native technologies that it bought his former company, Heptio, for $550 million last year.

As we head into this phase of pushing Kubernetes and related tech into larger companies, McLuckie acknowledges it creates a set of new challenges. “We are at this crossing the chasm moment where you look at the way the world is — and you look at the opportunity of what the world might become — and a big part of what motivated me to join VMware is that it’s successfully proven its ability to help enterprise organizations navigate their way through these disruptive changes,” McLuckie told TechCrunch.

He says that Kubernetes does actually solve this fundamental management problem companies face in this multi-cloud, hybrid world. “At the end of the day, Kubernetes is an abstraction. It’s just a way of organizing your infrastructure and making it accessible to the people that need to consume it.

“And I think it’s a fundamentally better abstraction than we have access to today. It has some very nice properties. It is pretty consistent in every environment that you might want to operate, so it really makes your on-prem software feel like it’s operating in the public cloud,” he explained.

Simplifying a complex world

One of the reasons Kubernetes and cloud-native technologies are gaining in popularity is because the technology allows companies to think about hardware differently. There is a big difference between virtual machines and containers, says Joe Fernandes, VP of product for Red Hat cloud platform.

“Sometimes people conflate containers as another form of virtualization, but with virtualization, you’re virtualizing hardware, and the virtual machines that you’re creating are like an actual machine with its own operating system. With containers, you’re virtualizing the process,” he said.

He said that this means it’s not coupled with the hardware. The only thing it needs to worry about is making sure it can run Linux, and Linux runs everywhere, which explains how containers make it easier to manage across different types of infrastructure. “It’s more efficient, more affordable, and ultimately, cloud-native allows folks to drive more automation,” he said.

Bringing it into the enterprise

Photo: Ron Miller/TechCrunch

It’s one thing to convince early adopters to change the way they work, but as this technology enters the mainstream. Gabe Monroy, partner program manager at Microsoft says to carry this technology to the next level, we have to change the way we talk about it.