Github Marketplace is Killing the Marketplace

I found it interesting that Appcanary is shutting down and being acquired by GitHub. In January, Gemnasium announced it is soon to follow, being folded into GitLab.

As the largest orbiting body in its solar system, GitHub has long held a disproportionate gravitational pull on every other vendor in its space. If the ecosystem around GitHub grew to be messy, their answer seems clear: define a marketplace. It will prove to be a successful instrument to drive consolidation, but I don’t think it will be transformative in other ways (not the least of which is driving innovation). While it will always be possible to exist outside of GHM, such a marketplace would serve its purpose better outside of GitHub’s hands.

As Gemnasium’s CEO Philippe Lafoucrière writes in the post mentioned above:

In October 2017, while assisting GitHub Universe like many other partners, we were surprised and shocked by the announcement of their own security feature. GitHub didn’t seem (or didn’t want) to realize they were attacking our core business directly. There was no clue or warning of this feature…

It’s easy to be too cynical about it– significant corporate entity invites you to a party, buys you a drink, figures you out, and ends up copying your business. “Sucks to be you, pal! Here, have a t-shirt. Want a job?” On the other hand, GitHub has many developers who want to work on cool stuff. What did you think would eventually happen?

It’s unlikely to be malicious, but the optics are just as bad. It’s more likely that there are only a few inhabitants of Planet GitHub¹ who were aware of the potential harm their new feature would cause companies in their ecosystem. Still, for those familiar with it, it probably seemed like an idea they should do anyway.

It probably started like this:

A:   “There’s a lot of insecure code we host. We should fix it all.”

B:   “Well, let’s not be creepy.”

C:   “What if we build tools to do it for them?”

A:   “It’d be evil not to. Where to start?”

D:   “Dependency management & security alerts?”

A,B,C: 🍻

All it takes

All it takes is a handful of developers to come up with the idea, crib what they can from a shared experience of what customers would expect the solution to look like, pitch it to their manager, and feel good about it. It starts so simply, but from the outside, it brings back memories of Google brandishing their particular kind of “evil” when they used HuddleChat² to demo AppEngine. Yes, that’s right, we remember.

We’ll leave the ’evil’ question aside for now. No, I doubt GitHub had evil intentions and an explicit mission to go after vendors they are courting simultaneously. More likely, it’s just their mission. They see providing this service to all their customers as better than providing it to some, and they see themselves inherently better at doing this than anyone else (thus the Appcanary acqui-hire³). That feeds into their mission at the company level far more than maintaining a healthy ecosystem.

What is GitHub Marketplace?

Back to GitHub marketplace as a thing, though. Like everyone else, I’ve seen the Marketplace tab but every time I click on it, I feel lost. “Apps? Free Trials? Huh? Wait, what was I looking for again?” I know tons of people who use Travis, but those same people wouldn’t care or know to care that Travis is available via Github Marketplace. This begs the question, who uses the marketplace? What is it for?

To wit, Lafoucrière continues…

in August 2017, Gemnasium was officially launched in the dependency management section. We thought the traction of the marketplace could bring us to the next level, and boost our MRR. After 6 months, it was clear we were wrong. Our revenue coming from the marketplace was only 3% of our MRR. It didn’t even cover the efforts to develop the integration.

We should all learn from the indie Mac community. Like the Mac App Store, the purpose of GHM isn’t to make sellers more money. It’s to frame the conversation. For Apple, the point of the MAS was never to make more money– it makes enough. It’s a vehicle to reinforce for their customers what it means to be part of their club. I think there are parallels here to GHM.

The rest of the mechanics aren’t the same for GHM because, unlike the MAS, much of the customer experience exists outside the control of GitHub. I suppose consolidating payments might be helpful but as someone who works with many vendors, dealing with invoices isn’t complicated– the complicated part is negotiating contracts, caps, usage, etc.– things GHM doesn’t appear to address at all. The services and pricing on GHM are geared toward retail.

So what’s next?

One final note here from the post above:

The result was immediate. Our churn rate doubled, and our previously growing company-wide MRR stalled completely.

That’s pretty damning. GH announces a competing product, and your business starts to dry up. I should have probably stated at the start I think Gemnasium’s product is pretty great, and I’ll be sorry to see them go. But it also sounds like GitHub, with little to no effort, helped make it easy for them to make this decision.

The most disappointing part of this may be speculative, but I think many feel GitHub Security Alerts will end up to be good, but not great– there will always be an avenue for someone to serve niche customers better.⁴ I hope it’s still worth someone’s while to do so in the end.