favicon-512

Connected Places

Detail of a Belgian door

FR#157 – Social Software Distribution

Open social protocols are expanding beyond social media into the infrastructure developers use to build, distribute, and discover software. Three recent launches show what that looks like in practice.

I also run a weekly newsletter, where you get all the articles I published this week directly in your inbox, as well as additional analysis. You can sign up right here, and get the next edition this Friday!

Over the past two weeks, three unrelated projects have each, independently, started rebuilding parts of the software distribution pipeline on open protocols. AltStore PAL, a third-party app marketplace for iOS, has integrated ActivityPub into its app discovery system. Tangled, a code collaboration platform built on the AT Protocol, announced a €3.8 million seed round. And npmx, a new browser for the npm package registry, launched its alpha with social features built on ATProto and an open source community that grew to over two hundred contributors in its first month. None of these are social media applications, but all three treat open protocols as connective infrastructure for software distribution and discovery.

AltStore PAL uses ActivityPub as a notification and discovery layer on top of what remains a conventional app marketplace. Tangled goes considerably further, using ATProto not merely as a social add-on but as the architectural foundation for the entire platform. And npmx pushes the question beyond technical integration altogether, showing that building social software distribution requires sustained community work.

AltStore PAL, the alternative app marketplace for iOS, announced this week that it is integrating with the fediverse through ActivityPub. The integration works through a Mastodon server hosted on AltStore’s own infrastructure, where app developers can federate updates, news alerts, and release notes as posts that are visible across the entire fediverse. Users on an ActivityPub platform such as Mastodon can follow app sources and see updates appear in their timelines alongside their regular social feeds. Within AltStore PAL itself, users can sign in with their Mastodon account, or with their Bluesky account via Bridgy Fed, to like apps and interact with updates directly in the marketplace.

The result is that AltStore PAL becomes, in its own framing, the first federated app marketplace. What this means in practice is that the discovery and communication layer around apps has been opened up to the social web, even as the actual distribution mechanics remain those of a conventional app store. When a developer pushes an update, that update is announced as a federated post that can be boosted, liked, and replied to by anyone on the fediverse, and those interactions are then surfaced back inside the AltStore PAL app.

The launch included several fediverse-native applications, including iPhanpy (a Mastodon client), PeerTube, and Loops, apps whose users are already invested in the fediverse. Launching with this audience is a deliberate adoption strategy: you seed your federated marketplace with a community that has an inherent interest in seeing it succeed, because a federated app store that distributes fediverse software is a validation of the ecosystem they already belong to. These are users who are more likely to follow sources, boost updates, and pull others in, creating the initial network effects that a new social distribution channel needs to reach beyond its earliest adopters.

Where AltStore PAL adds a social protocol on top of existing infrastructure, Tangled has built its code collaboration platform on the AT Protocol from the ground up. The Finnish company, founded by brothers Akshay and Anirudh Oppiliappan, announced a €3.8 million seed round led by byFounders earlier this month, with participation from Bain Capital Crypto and angel investors including Thomas Dohmke, the former CEO of GitHub, and Avery Pennarun, the CEO of Tailscale.

Tangled positions itself as a decentralized alternative to GitHub, but what distinguishes it from other platforms for hosting and collaborating on code is how it uses ATProto as its foundational layer rather than as a social feature bolted onto a conventional setup. Identity on Tangled is an ATProto DID, which means you can sign in with your existing Bluesky account and your identity is portable across any application built on the protocol. Code hosting is distributed across what Tangled calls “Knots,” lightweight self-hostable Git servers that connect into the wider network. When you create a repository, you choose which Knot hosts it, and that Knot can be Tangled’s own infrastructure or a server you run yourself. Even the automated testing and deployment system, called Spindles, plugs into ATProto’s event stream to detect when new code has been pushed and trigger builds automatically.

Co-founder Anirudh Oppiliappan wrote: “There are several models for decentralised code collaboration platforms, ranging from ActivityPub’s (Forgejo) federated model, to Radicle’s entirely P2P model. Our approach attempts to be the best of both worlds by adopting atproto, a protocol for building decentralised social applications with a central identity.” The practical difference from Forgejo’s ActivityPub-based federation is that identity exists at the protocol level rather than the instance level. You don’t join a Knot the way you join a Forgejo instance; you have an ATProto identity and choose where your code lives, while tangled.org provides a unified view across the whole network.

The two selling points that recur across the press coverage of the funding round are European data sovereignty, with Oppiliappan arguing that “if your code lives on GitHub, Microsoft is legally entitled, under its terms, to train AI models on that code” and that “data sovereignty matters,” and the claim that Tangled is infrastructure for an era of agentic coding where AI agents need to participate as first-class network actors. Antler partner Jussi Kallasvuo frames it in terms of a bottleneck shift: “the bottleneck in software development has shifted from writing code to reviewing and managing it at scale.” If that is true, then the social and collaborative layers of a platform, the parts that help developers coordinate, review, and trust each other’s work, become more valuable than the parts that help them write code in the first place. Whether or not these specific framings prove durable, they signal what investors currently believe the market opportunity looks like in post-centralization developer infrastructure.

If AltStore PAL shows what it looks like to add a social protocol layer and Tangled shows what it looks like to build on one, npmx raises a different question entirely: what does it take to make the social dimension actually work? The answer, based on the project’s first month, appears to have less to do with protocol choice than with deliberate, sustained community formation.

npm is the default package registry for JavaScript, the system through which developers share and install reusable code libraries. It hosts over two million packages and is foundational infrastructure for modern web development, but the main interface at npmjs.com has long been a source of frustration: limited search, missing trust signals, poor visibility into dependencies and install sizes. npmx is a new, independent browser for this registry, launched in alpha on March 3rd by Daniel Roe, the leader of the Nuxt core team, together with Salma Alam-Naylor and Matias Capeletto (also known as Patak). The project builds social features on ATProto, including package likes and social profiles, and is sponsored by Bluesky as its first Open Collective sponsor. But the more striking story is the community trajectory: within 24 hours of the first commit, 49 pull requests had been opened, and within a month the project had attracted over two hundred contributors, more than a thousand issues and PRs, and a coordinated alpha launch accompanied by twenty interlinked blog posts from community members.

Patak, writing alongside the alpha announcement, traces the community’s growth to something older than the project itself. The community that coalesced around npmx did not emerge from the ATProto integration or from the technical features of the project. It was seeded from years of accumulated trust across overlapping open source communities, the networks built through Vite, Vitest, Elk, and e18e, communities that had been collaborating, expanding, and maintaining relationships across half a decade of shared work. Patak describes the process in terms of converging communities: people who had built trust through previous collaborations finding each other again around a new shared project, bringing their networks with them.

The social features that npmx builds on ATProto are real and useful, but they are not what made the project take off. What made it take off was active community work: creating a welcoming Discord, prioritizing accessibility and internationalization from the start as signals that attracted contributors who share those values, deliberately building bridges to adjacent communities, and, perhaps most importantly, taking a one-week open source vacation when the project was going exponential because sustainability matters more than momentum. The protocol provides the infrastructure for social features, but the community provides the social reality that makes those features meaningful. This is community management, the work of cultivating relationships and trust that no protocol specification can encode.

These three projects cover different segments of the software pipeline: app distribution, code collaboration, and package discovery. They use different protocols, ActivityPub in AltStore PAL’s case, ATProto for Tangled and npmx. And they integrate those protocols at very different depths, from AltStore PAL’s social overlay to Tangled’s protocol-native architecture.

All three are testing whether open social protocols can serve as the connective layer for software infrastructure that has historically been either platform-controlled or entirely non-social. What an app store, a code platform, and a package registry have in common is that they are all points in a pipeline where developers and users need to discover, evaluate, and trust software, and those are fundamentally social processes that benefit from open, interoperable communication channels.

The most interesting lesson from this batch of launches may be that the hardest part of this transition is not the protocol work. AltStore PAL, Tangled, and npmx have each solved the technical integration in their own way. The open question is whether the communities that form around these tools will be robust enough to sustain them, and on that front, the projects that invest as deliberately in community cultivation as in protocol architecture are the ones most likely to endure.

This article was sponsored by a grant from the NLnet foundation. 

banner-640x240
  • CC BY-SA 4.0
QR code connected places for donations - general

Connected Places is a labor of love. Want to support the work I’m doing? You can click here to donate, or scan the QR code.

That’s all for this week, thanks for reading! If you want more analysis, you can subscribe to my newsletter. Every week you get an update with all this week’s articles, as well as extra analysis not published anywhere else. You can subscribe below! Follow on Bluesky: this blog:  @fediversereport.com and my personal account: @laurenshof.online.