They abandoned documentation (edit: for the open source codebase) a couple of weeks ago - that seems more significant.
From their Slack on Oct 10:
"The documentation sites at docs.min.io/community have been pulled of this morning and will redirect to the equivalent AIStor documentation where possible". [emphasis mine]
The minio/docs repository hasn't been updated in 2 weeks now, and the implication is that isn't going to be.
Even when I set up a minio cluster this February, it was both impressively easy and hard in a few small aspects. The most crucial installation tips - around 100Gb networking, Linux kernel tunables and fault-finding - were hung off comments on their github, talking about files that were deleted from the repository years ago.
I've built a cluster for a client that's being expanded to ≈100PB this year. The price of support comes in at at slightly less than the equivalent amount of S3 storage (not including the actual hosting costs!). The value of it just isn't that high to my client - so I guess we're just coasting on what we can get now, and will have to see what real community might form around the source.
I'm not a free software die-hard so I'm grateful for the work minio have put into the world, and the business it's enabling. But it seems super-clear they're stopping those contributions, and I'd bet the final open source release will happen in the next year.
If anyone else is hosting with minio & can't afford the support either :) please drop me a line and maybe we can get something going.
>The price of support comes in at at slightly less than the equivalent amount of S3 storage
That's absurd. I would be running to NetApp and Dell for competitive object storage quotes then. Haven't done pricing on either one recently but at least a few years ago they were roughly half the price of S3 all in (including hosting costs).
Maybe someone else somewhere is getting some unbelievably sweet deal but what I've seen from cloud discounting is more in the "single digit percentage" range than "2/3rds off" or something.
There are a ton of different discount options - large customers typically get between 50-60% discount based on committed spending, and AWS is pretty flexible around how that commit lands (they will allow roll overs even if they say they won't). Reserved instances get you ~70% discounts - similar to the committed spending. And my favorite - if it works for you - spot instances on EC2 come at as high as 90% off.
Nobody at commercial volume pays list to AWS - everyone gets a discount.
You can sometimes get a committed use discount within certain regions. Not as extreme as the EC2 discount, since S3 storage costs are honestly pretty low when you use storage classes correctly.
Everywhere I've worked discounts have been 40-60%. If you're getting leas than 40% whoever manages your cloud account isn't doing one of their job duties.
At previous $WORK we had similar bills. Our Account Manager got us some deals on S3 storage and egress fee (via CloudFront), in exchange for some usage commitment.
It was AWS Europe though, it may be different in the US.
There’s a lot of middleground between hobbyists and your company’s use ;) Most mid-sized publishers I’ve worked with are in the $4-10k/mo range depending on CDN availability
My point is that the parent I was replying to replied to “only hobbyists pay full price on aws”. The parent was expecting to get a discount on a 10k monthly bill. It is a lot of money, but not to AWS. You probably wont get (much) discount on 10k a month.
later: "no one who spends more than $10k/month pays full price"
curious, that no one says what their bills are when they say "40-60% discount", right? This thread started because someone mentioned dell/netapp because they were half the price of AWS, all-in.
I notice a lot of threads do this, lately. Not this topic, but topics in general.
Right, but depending on your workload, compute might just be 1/3 to 1/2 of your spend. The remainder going on storage, networking (egress and internal between regions & AZs), LBs, and higher abstraction services (from queues to search to serverless).
Feels great to talk about 27-50% but turns out it's 9%-16% when all is said and done. You can get commitment savings on other services but you need higher spend.
Feels odd that big cloud gives better discounts to enterprise. They really don't cater to startups as much as they posture.
I guess it's a good thing I'm not talking about list price. Do you really think when you're doing a cost comparison of AWS S3 to NetApp or Dell object storage a fortune 500 says: go ahead and use list pricing for the comparison? We plug in their existing discount structure... because otherwise it would be a rather pointless exercise for everyone involved.
Is anyone getting discounts on S3? There's easy ways to save on compute like reserved instances but I haven't found anything for storage other than the tiering system.
During an upgrade, I discovered that the console had been removed without any prior notice. MinIO really pissed me off.
Over a month ago, I started looking for a MinIO alternative and found RustFS. I've been testing RustFS for over a month now, and the product continues to improve, with the community fixing bugs very quickly.
I hope YC will invest in this company.
free software until mainstream acceptance. naive MBAs call it leaving money on the table, Microsoft calls it a monopoly-preserving strategy. no VC has the balls to go for the jugular anymore.
Not necessarily, but if there's a cost to providing free support to the community like official container images, then it will get cut. People comment that it's "free" to provide these things through Github, but it actually has a cost to the maintainers in time, and it's frankly an easy business decision to stop doing that at times in favor of roadmap work that produces business value.
What I'm learning from this is to provide basically zero support from the outset and let it grow organically if I ever build a business on an open source product. As soon as you stop supporting anything for free someone feels entitled to it.
"but if there's a cost to providing free support to the community like official container images, then it will get cut.", but here's the kicker, supporting creating docker images when you're on github is close to negligible as to be paper thin.
it used to be that people started businesses so that they could help others by providing a product or a service to them.
late stage capitalism arrives when people create businesses solely to get rich, and when other companies are created solely to get rich by helping those people create their companies so that they can get rich. that's what ycombinator is.
most of capitalism used to be symbiotic. engaging in transactions with businesses benefited both the business and the consumer.
now we live in a world where most or all of the benefit goes to the business and none or almost none to the consumer.
I think very few businesses were created just to help people. Maybe some nonprofits.
Lots of good businesses were created to just make their owners a reasonable income, I mean, most people will take “be rich” if that’s an option but have reasonable expectations.
The problem with heavily invested in companies is occurs when they skip the stage of being a small profitable business with an actual business model.
I think even 50 years ago, that most people started businesses because they had a skill and could use it to help others meet their needs.
HP started (more than 50 years ago) with two friends who wanted to make better electronic test equipment. Profit was not forefront in their mind like it is to an MBA graduate today. Hewlett and Packard wanted to provide quality test equipment to people, because a lot of the test equipment of the day was subpar to them.
By the time the 80s rolled around, they paid 100% of an employee's college education (no matter how high they wanted to go with that) and paid them 75% of their salary while they were away at school. College was cheaper then, but zero employers today would even briefly consider paying people any amount at all to not be at work while also paying for the thing keeping them away from work.
corner stores in crowded neighborhoods are not started to maximize profit potential for shareholders. corner stores are started because someone saw the need for a corner store and wanted to make a living running it; they wanted that to be their job.
Until the invention of the MBA I don't think most people who started businesses did so purely for money. There are many easier ways to make money. Today people can start shitting mobile games with pay to win mechanics and they will be rich when the first one takes off. No one creates mobile games with pay to win mechanics because they want people to experience the joy of microtransactions.
Every business today (certainly every tech business) is designed to find out what people want via market research, pick the thing that looks the most profitable, then through a very well developed process, turn that business into a source of retirement money for the founder(s) and a source of return for the investors. It is literally a photocopy model of business creation. "Follow the process and you will succeed."
No one is opening shops today to help their neighbor. No one is opening new bakeries because their town needs one. No one is doing anything that one used to see people doing everywhere they went. Profit-driven motivation ruins everything it touches. Everything.
Everything is profit driven, now. Everything. The MBA is the most disasterous degree ever devised. It makes people think that starting a business purely to make money is a perfectly normal and healthy thing to do, and it simply isn't.
> Zero employers today would even briefly consider paying people any amount at all to not be at work while also paying for the thing keeping them away from work.
Apple definitely had programs to pay all or part of relevant educational programs, and they sometimes paid for people to attend conferences. I'm sure it was much more restrictive than the HP policy you're describing here, but it was definitely more than nothing.
That's a bit naive. Look at the early industrial revolution, when most goods were still made at home, locally or on a small scale by craftsmen.
People went from having the land and resources to craft, for example, their own shoes, then a few decades later they were in a position where they had to buy shitty factory made shoes that fell apart instead because they were kicked off their land to work in factories.
I've seen the land that my ancestors left to become factory workers. There simply wasn't enough of it to feed everyone. In fact, the last pre-factory ancestor worked as an itinerant tailor because there was no land for him to cultivate.
I'm pretty sure factory work was a step upward for these families.
If they were giving it away for free and paying a non-zero cost to do it, that's not sustainable. And that clearly isn't taking all the benefit for themselves. This is a take so bad, it isn't a take anymore...its a personality flaw.
Literally nobody is making that claim. Nobody expects businesses to be charities.
The thing being argued against is businesses solely being viewed as a "get rich quick" gambling scheme, where the only thing that matters is a rapid rise in shareholder value. VCs don't want a company providing a steady retirement fund, they want you to go for a 1000x return or die trying. The logical end result is that you screw over your customers and employees whenever possible, and burn the entire thing to the ground for the last few bucks. Just look at what Broadcom is doing to VMware: they might've delivered some great shareholder value, but they did huge damage to society in the process!
We shouldn't allow businesses to operate like a cancer which grows forever until it eventually kills its host, leeching off as much in the process as possible. If you want sustainability, you should be clamoring for businesses which are happy to just operate: employ some people, provide a valuable service to society, and make some profit - no need to take over the world in a crazy frenzy chasing unlimited growth.
I'm currently testing for alternatives of minio on my homelab. Ceph was nice, lots of bells and whistles, built in support for virtual IPs is excellent, but on my aging hardware it was using 10-15% CPU in my VM while idle. Currently benchmarking garagefs, scales very well with core count and multi node set up is a breeze.
The benchmark against MinIO is nice, but I don't care much for the table vs. "Other object storage" which seems to try to aggregate all the worst points of all the others with no citation (e.g. why should I believe RustFS has no intellectual property risk but others do? What's different about them to back that up?).
That does sound much worse than hiding the pre-built images from users. I hope that documentation is archived. There's probably some benefit in documenting those installation tips elsewhere besides Github comments.
Yeah, running binaries of varying qualities taken from all sorts of places is a bad idea anyways. Distro packages are generally more consistent or even running "go build" yourself is probably better in this case.
But pulling existing documentation is a whole different matter. One can argue that they don't have an obligation to maintain the docs, though it would effectively make continued use of newer versions untenable. But pulling existing ones is an unnecessary rug pull when it doesn't cost anything to keep it online. It's a big middle finger to open source.
Unrelated but i find it funny that the Microsoft logo on the Install on Windows section is upside down on the redirected link docs.min.io/enterprise/aistor-object-store/
With 100PB clusters being built and not a cent going to them, you can see why minio has gone this route. I wonder if they will be "valkeyed"? Not by AWS presumably.
That's the open source model. It's entirely predictable that if you provide software at no cost that is capable of running 100PB clusters, that some people will and you won't get paid, because those are the terms that you set.
It's fine to change your mind, but doing it in this way doesn't build goodwill. It would be better if they made an announcement that they would stop creating/distributing images on some future date; I'm sure that would also be poorly received, but it would show organizational capacity for continuity.
If I'm considering paying them for support, especially at the prices quoted elsewhere in the thread, I need to know they won't drop support for my wacky system on a whim. (If my system wasn't wacky, I probably wouldn't need paid support)
There are a few challenges with open-source projects that want to also be commercial entities.
One is obviously knowing what you can add-on that people will pay for; support, for one, but people want more features too. What could minio have built on top of their product to sell to people? Presumably some kind of S3-style tiered storage system, replication, a good UI, whatever else, I'm not sure.
The second is getting people to actually know that that's an issue. I work for Tigera which publishes the Calico CNI for Kubernetes, and one of the biggest issues we have is that people set up Calico on their clusters, configure it, and then just never think about it again. A testament to the quality of the product, I'm sure, but it makes it difficult to get people to even know we have a commercial offering, let alone what it is and does and why it might be beneficial.
I could see the same thing for Minio; even if they have a great OSS product, a great commercial offering on top of that, and great support, getting people to even be aware of it in the first place is going to be a huge challenge and getting people to pay for it is even harder.
It's sad that they went the completely wrong direction and started taking things away from the community to force people to the commercial side of things whether they're willing to pay or not.
I reckon they gave away too much, and are clumsily rowing it back.
Gitlab seemed to do a good job of navigating a community edition as an on-ramp for sales. But it's obviously a lot of work to maintain that edition, and VC must be feeling less geenerous than 10-15 years ago.
e.g. maybe if it were my project I'd have kept back the S3-compatible ACL support and put in something super-basic. Or even cluster support. Right now it feels like they're cutting off everything they can while still being able to call it "open source".
That's a strange mindset, IMO. I'd be pissed if I had to pay $0.10 every time I turned a rachet, and it's weird to expect companies to have usage-based monetization on the tools they've made for others.
An analogy to making a physical tool doesn’t really work because we have to basically describe what software is in terms of exceptions to the analogy.
If I had a ratchet that, every time I turned it, I had to pay $.1, but I’d gotten it for free, but it was basically free to replicate, but the person who designed it did have to spend some significant work on R&D for the thing… I have no idea how I’d price that or how I’d feel.
I don’t think that’s what they were going for. They said “ I'd be pissed if I had to pay $0.10 every time I turned a rachet” so the person turning the ratchet is the one paying. Who they pay to is unknown.
It isn’t clear if you are trying to improve the original poster’s analogy, come up with your own, or change something about mine.
But, regardless, my main point was that describing the software in terms of a ratchet is not very helpful because hardware and software are different types of things.
You effectively do pay per turn of the ratchet. It doesn't last forever, will eventually break, and so you can amortize the cost of the device over the number of turns you expect it to make to get the per-turn cost.
Software on the other hand does not naturally wear out, in the same way physical objects do.
> If you were given the ratchet and then someone wanted to charge you every time you use it you would also be pissed.
People gotta eat. If someone's making valuable tools and giving them away, they still need to get paid somehow. If people aren't voluntarily tipping them enough, then something's gotta give.
There have been too many stories of open source developers basically burning themselves out for years, then it comes out that they're barely scraping by and can't take it anymore.
The problem then is that you're making a valuable tool and giving it away and then wandering around hat in hand. That's not going to work for anyone. Also, taking away things that you've already given people for free so that they have to pay you to get them back is not going to engender any goodwill.
Unfortunately, the minio devs seem to have fallen into the common trap: make a great OSS project that works and that everyone likes, give it away for free, not know how to make money from it, and then start making user-hostile moves that piss off your users to try to make them customers - and who, surprisingly, do not want to be customers now that you've pissed them off.
It starts to feel more like a protection racket. You've got some great features here, would be a shame if something happened to them. Oh no, your docker containers! Oh, that's a tragedy what happened there, but you know, accidents happen.
> The problem then is that you're making a valuable tool and giving it away and then wandering around hat in hand. That's not going to work for anyone.
That is textbook open source idealism: you give to the community, the community gives back. The problem is a lot of people are moochers, even very rich people who have money coming out of their ears.
> It starts to feel more like a protection racket. You've got some great features here, would be a shame if something happened to them. Oh no, your docker containers! Oh, that's a tragedy what happened there, but you know, accidents happen.
Come on, don't be so uncharitable. It's nothing like a protection racket, which is pure, planned exploitation. This is open source idealism coming into contact with capitalist reality.
I know this is anathema around here, but this is why I have always liked grant-funded open source work. Whether government or private, someone at a policy level decides that something is important, and pays for development, leading to a new public good.
The development cost is based on the complexity of the work. It doesn't require a royalty payment in order to deploy more copies or to run them at higher loads. The software already exists. Separately, normal economic decisions can be made around support of deployments, e.g. whether to use in-house labor, hire consultants, or subscribe to some service contract. Sometimes, but not always, the users are another grant-funded project.
This model isn't a lottery ticket for the developers, nor the capital class. But the developers get paid a good wage for the time they spend on a product. I've done it for the majority of the last 30 years, almost like being a conscientious objector to the VC marketing complex.
Unfortunately, there are societal forces working hard against open source public goods. I think regulatory-capture is turning the whole security space into a compliance moat for heavily capitalized players. And the higher education cost spiral keeps increasing the overhead for universities, where a lot of these open source developer jobs used to be found. These are overlapping, but I'd say not the same thing. The overhead in academia is more than just compliance burden.
And, the whole fad-chasing and hustle aspect of contemporary IT is an inflationary process, eroding the value of previously developed open source products. Over my career, it seems that production-ready code is getting an ever-shorter service life. More maintenance and redevelopment work is needed or else users abandon it for the Next Big Thing. It's been quite a ride for me, following the whole wave of GNU, MIT, BSD, Linux, Python, and scientific computing tools since the early 90s...
if people are giving away wrenches and not getting paid for that, they will quickly run out of wrenches, and they will learn. giving away something free does not inherently give them the right to charge for use of the wrench.
giving a wrench to someone where you charge based on usage should be something that is agreed upon up front, not at some point later, after a rug is pulled out from under the customer.
> giving a wrench to someone where you charge based on usage should be something that is agreed upon up front, not at some point later, after a rug is pulled out from under the customer.
You're mixing up non-capitalist kindness and reciprocity relations with market relations. They're different things. Downloading open source code doesn't make you anyone's "customer."
The thing that happens first with these "open-source gone closed stories" is the community (or one particularly big mooch) failed to reciprocate the developer's efforts or was otherwise undercutting them. Then the developer responded.
And of course, the predictable response from some parts of the community is "how dare you not let me mooch off your efforts forever. I am entitled!1! Protection racket! Rug pull!"
Conflating physical products and open source software doesn't usually make sense. The open source model is more like someone making a valuable tool for their own use and then agreeing to let other people copy the design and make their own version of it. Monetisation can come from various sources - you may be paid to make the tool in the first place or you may perform a job where that tool helps you (or whoever is paying you).
> People gotta eat. If someone's making valuable tools and giving them away, they still need to get paid somehow. If people aren't voluntarily tipping them enough, then something's gotta give.
No one is saying people can't charge for their work though.
Nuantrix distributed a version that was still Apache licensed and merely failed to disclose they had made changes.
This is after MinIO asserted that Weka had also stolen their AGPL-licensed code, showing that they extracted binaries from the distribution. They forgot that that 3-month old (unmodified) version was still Apache licensed though.
MinIO generally don't seem to consult lawyers often. They haven't even set up copyright assignment / CLA immediately after switching the license, so technically they are also incapable of selling AGPL license exceptions just like everyone else.
I've done my best to keep MinIO away from most infra I manage, not because of legal concerns but because it was kind of obvious they'd eventually go full scorched earth and either drop images or the source code distribution all together. Maybe now we can all move on to a fork, or SeaweedFS, or Ceph, or literally anything else.
They don't consult lawyers. The CEO husband and wife team get really angry and fire off threatening letters, but I've never seen them consult a lawyer before sending a letter like that or accusing a company of violating a license publicly.
That just means the fork would also need to be AGPL licensed, and the owner of the fork wouldn't be able to also sell a proprietary version with additional "enterprise" features. And IMO that would be a good thing.
I think it is unlikely a single entity would do that. But a coalition of current MinIO users might get together to create such a project, perhaps under the Auspices of a foundation such as the Linux Foundation. Although, I think that scenario would be more similar to OpenTofu than Valkey.
I am definitely not a lawyer, but as a thought experiment, would Amazon be able to take the AGPL Minio source code, turn it into a managed service, and resell that to customers?
Was under the impression that the answer is yes, they could - with the caveat that they'd have to release the modified source code of whatever backend services are also tied into the Minio source code. For example the AWS control plane that would launch customer instances of Minio, monitor it, etc would also need to be open sourced?
If they charged a cent, would people adopt it in the first place?
They still got paid for those free users. Via investments. Cash is cash. I don’t KNOW what the RIGHT business model is, I don’t run MinIO, and neither do you.
Nah, it's fine. It's Open Source, you can document it yourself if you need to! But there is no obligation from the MinIO authors to provide it, you're not entitled to it.
I'll let docker's security team know that an insecure, obsolete docker image is being served and the maintainers have officially acknowledged they will no longer support it.
Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
there is a major difference between having an old image available and having it tagged as latest with no updates beeing available on a channel that before that published all updates with nearly no time delay
So that's not the same thing. Docker "official images" are a category of curated docker images. Minio is not one of them. The official curated images are here: https://hub.docker.com/u/library
The minio image is basically a community one that anyone could have created, but still shows in overall docker hub. It's created by minio themselves. I'm kind of surprised they haven't removed it, but with over a billion downloads they are easily in the top ten of whatever category they fall under creating substantial free advertisement.
Yes, I read it. Last time it was raised the same guy who announced they are doing source only distribution said they could definitely do it, then another member of the team closed it saying it wouldn't happen.
Given the developers have not replied to the thread after a day and the one who was enthusiastic is now the one doling out the information that they are no longer supporting their docker image, I highly doubt they will perform a 180 on policy and suddenly work with them to provide an official curated image. If they wanted to keep the docker image alive they would have continued updating it and not shut down community feedback begging for them to maintain it.
Docker has a vested interest in keeping popular images maintained and a billion+ download package suddenly becoming defunct is noticable to them. Minio seems to be prioritizing their commercial offering and removing support for their open source offering though. Nuking their community documentation doesn't spell anything good for the future of minio for the FOSS community.
> Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
Why is that the best? MinIO is not the type of thing that people ought to be directly making available on the Internet anyway, so CVEs are mostly irrelevant unless you are an organization that has to keep on top of them, in which case you certainly have a process in place to do so already.
People straight pulling an image off Dockerhub (so not a particularly sophisticated use-case) to run seem like they'd be the least likely to be impacted by a CVE like this. The impact is apparently "[it] allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope". Are people pulling from Dockerhub even setting up anything but the absolute most basic (Allow All) ACL?
No, it is a defense strategy. For e.g. hobbyists, it's basically irrelevant, and having something on a private LAN is fine. There is almost no chance of an issue. Not everything in the world needs to be maximally secured, and the people who are using those IAM policies are probably not pulling a vanilla image off Dockerhub to run something as fundamental as their storage layer. They probably also have firewalls tightly locking down which machines are able to talk to MinIO on top of token auth.
The cargo-culting around security is so bizarre to me. In a context where e.g. your organization needs to pass audits, it's cheaper/easier to just update stuff and not attempt to analyze everything so you can check the box. For everyone else, most security advisories are just noise that usually aren't relevant to the actual way software is used. Notably, no one in these discussions is even bringing up what the vulnerability is.
Notably, no one in these discussions is even bringing up what the vulnerability is
That's because of two things. The first is, assessment takes a deep dive into the issue, not a summary. Conjoined with the second, in that you must be ready to update if required, without issue.
In every case, it's less time cost even for home lab users to update instead of assess.
If it isn't, you're using terrible software, for example software which pushes security updates along with API and code changes. Such software doesn't take user security seriously, and should be avoided at all costs.
There's no way around it. Just do it right, don't half ass with excuses. Don't use terrible software. If it's plugged into a network, zero trust it is.
Unfortunately I don't think they're going to get involved there. There are already multiple "official" images on Docker Hub that are unmaintained and have plenty of CVEs (e.g. Centos https://hub.docker.com/_/centos/tags)
I think the most they'd do is add the DEPRECATED note to the Docker hub page as they have done for things like Centos
Imagine the absolute chaos if docker would do that, pull vulnerable images offline. Not a single company would be able to build their software anymore.
Actually, Docker did something like that, where they limited the amount of docker images they would host for you for free to a reasonable number. The result was pretty similar to this current outcry: https://news.ycombinator.com/item?id=24143588
Again folks, you don´t "fix" anything by building a docker image. The fix is already in the source, you just need to run one command to build the image. The registry is something you should have in your infrastructure, if you are at least half-way seriously doing anything in the domain of containers and Kubernetes. But if you dont have one, it seems you are running things locally, for your toy project.Well then, just in that case just deploy from your local docker cache. All of this is actually merely a couple of commands in your simplified use-case.
Keep in mind this is the same project that removed all useful functionality from the included web UI in the community edition with the excuse that it was too much effort to maintain.
This is another case of VC-funded companies pulling up the ladder behind themselves.
Is it an excuse? Maintaining code costs money, and the previous versions are provided under the license, and you're free to modify it, pull selective patches and maintain them yourself. While It'd be convenient if the license was a promise to develop and maintain features for free in perpetuity, it just isn't.
I run into this in non-company backed open source projects all the time too. Some maintainer gets burned out or non-interested and all they're rewarded is people with pitchforks because they thought there were some sort of obligations to provide free updates and suppport
It is sort of an excuse. I don't use MinIO precisely because of this kind of behaviour - if I cannot easily develop, configure and test our applications, I'm not adopting it commercially, specially when there are a ton of options to choose from. In the end, this hurts the MinIO's enterprise offering. Having a robust, easy to deploy community edition, with predictable features, is a great way of allowing integrators to develop and test using your product, and to help the product to gain traction.
Conversely, if instead of making your users happy to pay you, you've made them happy to use your stuff for free, you own the consequences when you stop giving that stuff away.
Welcome to HN BTW, I see you were inspired to sign up and defend the project owner.
The ladder is still there! See that pile of wood there? That's where we put the rungs. And if dig in that hole over there you might even find the extension we removed last week...
How was the task of building this project easier for them than it would now be for you or me? I feel like you are using the phrase “pulling up the ladder” in a way that doesn’t track with common usage.
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
"That expectation does not entitle anybody to anything though."
This is true legally, but not otherwise (socially, practically)
"That is their decision. Without any contract or promise, there is no obligation to anybody."
Again, true legally, but IMHO a really silly position to take overall.
Imagine I provide free electricity to everyone in my town. I encourage everyone to use it. I do it all for free. I'm very careful to ensure the legal framework means i have no obligation, and everyone knows i have no obligations to them legally. They all take me up on it. All the other providers wither and die as a result. 15 years later, i decide to shut it all down on a whim because i want to move on to other things. The lights go out for the town everywhere.
Saying "i have no legal obligations" is true, but expecting people to not be pissed off, complain, and expect me to not do this is at best, naive.
Calling them entitled is even funnier. It's sort of irrelevant if they are entitled or not, after i put them in this position.
Legal obligation is not the only form of obligation, and not even the interesting ones most of the time.
More importantly - society has never survived on legal obligation alone.
I do not think you would enjoy living in a world where legal obligation is the only thing that mattered.
This is a bad analogy. We are talking about building a very simple Docker image.
It is more like you went around your neighborhood and turned peoples lights on in the evening, then stopped.
Sure, it’s a lost convenience, but people can easily choose to just… push the button themselves. Or pay somebody to continue doing it for them. Or get a timer.
It’s really not a big deal, and there are plenty of alternatives.
I think you are missing the point of legal vs societal obligations and your analogy is equally bad. Minio's sold you this free light bulb and they also freely offered the service to upgrade it to the newest version every time a new lightbulb was released. There are many light bulb brands out there, some paid, some free, most of them also offer the service to upgrade the lightbulb automatically, even the free ones.
Then Minio decided to disable the feature to upgrade the lightbulb automatically, the code to update it is still there, they just don't want to do it anymore. Conveniently there is a Minio+ enterprise plan that has this feature. But hey! they tell you that you can easily set up your own server to update your lightbulb automatically. And most enterprise clients or people who have Minio lightbulbs in their office will do that.
But for single enthusiasts who don't have a server because they are just running a Minio lightbulb in their shed it's a bad situation, because if they knew this from the beginning they would have gone with another free lightbulb that updated automatically.
In short: Minio has the legal right to do whatever they want, people using minio have the right to be pissed. It's an all around bad publicity stunt and if I was a Minio investor I would really wonder why they are trying to piss off their loyal user base for a quick buck.
Sounds like an opportunity for someone to fulfill their own "societal obligations" and contribute back to the community they've benefited (taken) from.
All those people lurking while no one gets the idea to "ok, then I'll do the job for all of you" thing seems like the societal contract has been broken long ago.
I agree, but it is always harder to have someone fill a void for a previously solved problem. I think they eventually will, but it's almost like maintenance programming vs. greenfield development; it's a harder task that's not much fun, plus the interpretation that you need to do a buch of work for something you previously already had. Ill-will towards MinIO is completely understandable.
> I think you are missing the point of legal vs societal obligations and your analogy is equally bad
There are a lot of paragraphs in this thread laying the groundwork for this subtle strawman, but neither you nor DannyBee are addressing the real opposing position. That's the one that says there is no legal obligation and there is no social obligation. You're both treating the latter as if agreement about its existence is a forgone conclusion not in dispute. But of course it's in dispute. It's the basis of the dispute.
> But for single enthusiasts who don't have a server because they are just running a Minio lightbulb in their shed it's a bad situation, because if they knew this from the beginning they would have gone with another free lightbulb that updated automatically.
What keeps those enthusiasts from setting up a scheduled GitHub Action (or whatever system they prefer to use) to build the image for themselves?
How much (amortized) effort are we actually talking about here? One minute per release?
The point is not about what Minio's legally required obligations are.
The point is, there is a community project, and Minio has revealed they are leaving the community. It's not illegal that they do so, any more than divorce is illegal, but it's concerning to anyone who views themselves as part of that community.
It raises a point that is it smart to join a new community that depends on the same people or organization.
Your persistent inability to comprehend this makes you look like a poor candidate for future professional collaboration. Maybe you are autistic, maybe just a shill, but it's not helping you.
OK - I live in a place that's snowy for a lot of the year. I shovel not only my sidewalk but my neighbours' several houses on both sides. People are really happy and grateful. Over the years Mr. Johnson the senior on a fixed pension next door loses mobility and is really appreciative I keep his walk clean. The couple next to him has a new baby and a clear sidewalk helps them load up all the accompanying gear into the car. My snowbird neighbours are happy that their walk is accessible when they're out of town. The dad who walks several kids to school is happy there's less snow to trudge through twice a day (in both directions). The mail carrier is less likely to slip and is grateful. Dog walkers and (crazy) winter joggers don't even consciously realize the improvement but still benefit.
Then I decide to stop. It doesn't really matter why, I wasn't getting paid or had not made any sort of formal agreement or promise, I just don't want to do it anymore. Now I shovel my sidewalk to the property line exactly and that's it. Hey, that's my legal obligation; I don't need to do any more! Mr. Johnson now has a lot more trouble getting out of his house; we see him a lot less. The baby is crying while new mom slips around trying to load up strollers and diaper bags and a car seat. The snowbirds just got fined by city bylaw for not clearing their walk. That dad's school trip is just a little longer, colder and unpleasant.
Hey, this isn't my fault! All those people took my effort for granted; I never promised to shovel their walks! They have no basis to judge me! But you better believe that this decision reduced their assessment that I'm a "good neighbour". Community is built mostly on implicit agreements, norms and conventions that are established through practice & conduct over time. You're arguing the right/wrong of this in the face of legal formalizations, while others are just saying it is a fact, not weighing the benefits and obligations.
We had some neighbors that used it throw a big Halloween celebration. They gave out drinks and snacks, dressed up in very elaborate costumes, setup movies on outdoor projectors, and do hayrides.
They didn’t do it last year. I was disappointed, but I’m not angry at them. I realize that they were spending a lot of time and energy and maybe they are just burned out.
I’m sure there are people who are angry and judge them. But those people are spoiled, entitled brats.
The distinction is that it is entirely fine to be disappointed. It’s not fine to get angry.
If people were depending on the party for very important things, and the neighbors encouraged it, and gave no warning, then it would be fine to get angry.
Actually, in your analogy the reason why you stopped matters a great deal. For example, if you stopped shoveling snow because you are sick/injured, or because you are caring for a family member, nobody would think less of you as a neighbor. It's only if you stopped for a selfish reason that people would negatively judge your neighborliness. So to the extent that the analogy is instructive as to how we should think about MinIO's actions, we would have to judge the reason why they did this and decide whether that is worth thinking less of them.
There is an important point you are missing. Attitudes like this discourage people from doing nice things for others in general. Because you are saying that one nice deed or nice deeds for a period of time mean you are bound to have to do that deed forever for free.
This is the tragedy of the commons but not just for a field of grass, instead its for all human altruism. You really need to think about the consequences of this attitude because it doesn't lead where you seem to think it leads. In fact, it leads to exactly the opposite set of human behaviors.
PS The neighbors could easily just contract someone else to do the shoveling in the future and instead of being salty about having to pay, looking at it as how much money they saved in the past.
I mean, fair, but again, notice you're trying to actually, idk, understand the situation, use empathy.
I see GGP's comment attitude all too frequently on the internet ("nobody is entitled to anything") as the default. Which is such a nasty connotative strawman, it's kind of absurd. But hey, that's the internet for you.
Bad analogy, MinIO isn't a basic commodity required for life.
Maybe a car analogy (because they hardly work). It's like lending your car to someone everyday then stopping, then the person complains that they have no way to get around. But there is walking, biking, busses or buying your own car.
I don't see how "basic commodity required for life" is a necessary criteria for any ethical standards to apply at all. This is about trust, community and how to be a good project steward.
Then will you be volunteering your time and resources? Remember: once you start volunteering, you cannot stop, because you will "break everyone's trust and expectations" or even be "malicious". Happy volunteering.
This is exactly what happens when you volunteer. When you've had enough, or just want to spend your time in other ways, you're hounded to come back, to continue to help, and to varying degrees made to feel guilty because you decided to stop doing something that you had been offering for free.
I don't think this is a reason to never volunteer but you have to develop a thick skin, know where your lines are, and at some point politely but firmly say "no."
> Again, true legally, but IMHO a really silly position to take overall.
Is it? Let's take a look at the opposite scenario: What if MinIO never released any source code at all? They'd be just another 100% proprietary company like any other and would have never received any backlash for "pulling up the ladder behind them". So offering something for free and then rescinding later is treated worse than never offering anything for free at all!
What a way to entice companies to do open source guys, great job!
" So offering something for free and then rescinding later is treated worse than never offering anything for free at all!"
This is true plenty of times. In particular, if you violate social expectations/etc, you will often see this.
For example, here's an easy case:
I am about to go plant a bunch of trees.
A neighbor sees me going to do it, and offers to do it for me for free, because they like to do it.
I say cool. They can even say "just so you know, i'm not your contractor, blah blah blah" or whatever. Doesn't matter.
I go do something else with my time.
A week later, they did half the job, and quit, or they did the whole job and made a hash of it, or whatever.
1. It wouldn't make sense for me to expect them to fail or stop doing it or do it poorly just because it was free. Nor plan for them to fail.
2. Most people would still complain even though they paid nothing, and are arguably no worse off (depending on the options you pick) then when they started.
3. Most people would definitely feel like it was worse than doing nothing.
Now, in this example you could argue it's the poor quality/stopping halfway through that is causing this result, but you would IMHO see the same result even if they did a great job, but stopped after doing 90% of it, leaving me definitely no worse off, and probably much better off.
In the end, people's expectations are emotional and not simply rational.
Sticking with your analogy -- your townsfolk getting energy for free. As rational people they must include the possibility of free service being over at any time in their planning and act accordingly. Otherwise they're just freeloading.
Of course they are freeloading - and users often suck - but your latter doesn't follow.
It's fair in the singular case (IE if this is the only open source/free thing you use), but especially as you are dealing with more and more things like this (IE use lots of open source), it is totally irrational to expect them to plan for any of 50 open source projects they use to stop at any time.
It violates general good faith expectations. Just because someone is doing something for free doesn't mean you expect them to fail or stop - The cost is fairly orthogonal to most people's expectations. I don't expect any package in my linux distro to just stop existing or working at any time.
Sure, it would be sensible to plan for eventual failure of things you depend on, but it's not rational to expect people to plan for random failure of any of the things they depend on at any time, regardless of the cost of those things.
More to the point, it's not entitlement on their part to avoid sitting around waiting for the other shoe to drop all the time :)
The projects also often have the perspective of "it shouldn't be tha big a thing" but that's because they ignore they are not the only thing happening in their users world.
Did you read the comments on Github (linked by the title)?
So many commenters are just plain rude. They got free value for along time. Someone giving the free value decides to allocate their time otherwise. And the long-time receivers of the free value now cannot behave.
And you seem to make excuses for them...
It's just rude to behave like that after having enjoyed gifts for so long. They behave like spoiled children. Nothing to defend IMHO.
You're essentially saying that only users who contribute to OSS are worthy of attention and support. This is no different than saying that only commercial users, or those from specific countries, backgrounds, or industries are worthy of the same.
Those users who create issues, request features, and, yes, ask for support, are as valuable as those who contribute code or money. They're all part of the same community of users that help build a successful product. And they do it for free for you, because they're passionate about the product itself.
If you think otherwise then you should make your terms of service explicit by using a restrictive license and business model. OSS is not for you.
Yes, some people can be rude, demanding, and unworthy of your attention. But you make those boundaries clear, not treat all non-paying users as entitled children.
> If you think otherwise then you should make your terms of service explicit
FOSS licenses already do that: they shout at you in all-caps that the authors PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED.
Meanwhile the licenses don't say anything about communities.
For better or worse, OSI convinced everyone that "open source" is synonymous with using specific licenses that meet their definition. If that's the case, then how can it be a "fundamental misunderstanding of OSS" to strictly interpret OSS by the terms of the licenses, which don't mention any sort of "social contract", while they do include language explicitly contrary to such expectations of users?
> how can it be a "fundamental misunderstanding of OSS" to strictly interpret OSS by the terms of the licenses, which don't mention any sort of "social contract", while they do include language explicitly contrary to such expectations of users?
Because free and open-source software is more than a set of licenses approved by some governing body.
It is part of a social movement and ideology pursuing the open sharing of knowledge, and building communities around this where everyone can benefit, not just a select few. Software is one aspect of this, due to its roots in the hacker counterculture of the 1970s, but the core idea extends beyond it.
You can read more about this in many places. Bruce Perens specifically refers to a "social contract" in this early post[1] on the Debian mailing list. This is what is usually referred to as the "spirit" of open source, and is not strictly encoded in any official definition. The success of OSS depends on implicit mutual trust and respect, not on explicit rules and licenses.
Many open source projects have never opted-in to a social movement or ideological pursuit. Software meeting the OSI's definition can unarguably be called "open source" without any other implications of an ill-defined "spirit" which is completely subjective.
If I host a code repo on an otherwise static site, with no ability to contact the author or engage in a community, it is still widely considered "open source" if it uses an OSI-approved license.
Likewise if I host the same code repo on Github and disable issues and set the pull request template to say "All PRs will be closed and I will shout expletives at you for wasting my time", if it uses an OSI-approved license then it is still open source per the OSI's own definition.
Have you not seen some of the replies at the link?
For example:
"You are joking ?!
The commit about source only is 4 days old (9e49d5e)
We are currently paying for a license while using the open source version, you already removed the oidc code from UI console and now docker images. We are not happy by this lock-in. We will discuss this internally, but you may loose a paying customer with this behavior."
I do this frequently. To prevent vendor lock in and allow us to easily pivot if pricing gets out line. We pay to support the project and get technical support when needed. Considering how little we use technical support. It should be a good deal for the company.
For one: Using open source version often is a lot simpler. Commercial versions are hidden behind authentication and other weird systems to download. User experience can be a lot better.
Then there are ideological reasons: Purposly trying to make the open source version sustainable.
And then reduced lockin etc. by not using Enterprise only features by accident/convenience, which leaves the door open to leave the contract.
In my experience, you start using the open source version, realize you could benefit from paid support, so you "buy a license" and get your support -- but then you never have a big enough reason to do the lift to the commercial version.
Because I want to give a project money but also want to make 5000% sure the entire thing is in github, working, the latest, compiling and that we can do all of that all of the time? What is strange about that?
I think if you analyzed your day to day life you'd be surprised with how many reliances you have on norms and social contracts. I personally don't want to live in a world that depends on an explicit legal basis for every single thing, and I doubt you want to either.
The GP didn't say it entitled them to anything, but that it created a sense of entitlement. You are correct there's no contractual obligation to do so, but it was likely a part of the decision to go with their solution, i.e. "they make it easy to deploy!". It is a very logical conclusion to say "they just made it HARDER THAN BEFORE to deploy".
Promises are not always explicit written permission; that's why I got in trouble for re-broadcasting major-league baseball with only implicit verbal permission (thanks, Simpsons!)
> > When you always published and built Docker images for the public you are creating an expectation
> That expectation does not entitle anybody to anything though.
Note that implied contracts do exist, and sometimes expectations based on prior conduct do suffice to form an enforcable contract. In this case, I don't know whether you can reasonably make that argument, but that's never stopped enterprising lawyers before.
“I’m not legally required to be nice” has become a classic and very common HN/Reddit argument. While true, it’s kind of beside the point. People often go beyond what they are legally obligated to do, and other people often expect others to go beyond what we are legally obligated to do. This is about nice vs. not-nice instead of legal vs. illegal.
> Without any contract or promise, there is no obligation to anybody.
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with. There was no contract or promise. The fact you're paying for their service doesn't buy you these rights either. Those are just the terms of service both parties have agreed to.
Similarly, open source software is much more than a license. There is a basic social contract of not being an asshole to users of your product, which is an unwritten rule not just in software and industry in general, but in society as a whole. The free software movement is an extension of this mindset, and focuses on building software for the benefit of everyone, not just those who happen to pay for it, or those who meet your specific criteria. Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it. And your point is that that people who complain about this are entitled? Give me a break.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.[1]
Why isn't there similar expectations for users of Open source? That is be ready to take over yourself if maintainers do not want to do something anymore? Do not ask or demand anything. Do not expect anything but the code. To understand that you can not expect or be entitled to anything. And celebrate what you get just now.
With this the solution becomes obvious. You select piece of technology to build on you are fully and ready to take over it for purposes you want to use for it. The code is shared and you should not expect anything more.
> Why isn't there similar expectations for users of Open source? That is be ready to take over yourself if maintainers do not want to do something anymore?
Of course there is. Which is why many hostile projects get forked.
"That is the beauty of OSS", I hear you say. And I agree, but most people aren't developers. Even those who are, might not be familiar with the technology to continue maintaining the project. And even those who are, will still need time and effort to understand the codebase at a level that they're comfortable with maintaining it. And even those who are interested in all of that, might not do a good job at it.
So, ultimately, it is a very small subset of users who would not only have the capability to continue maintenance, but would manage to do as well as the original maintainers for the benefit of the entire community.
Most people saw an interesting piece of software, gave it a try and enjoyed it, and, if the project is successful, would probably like to continue using it. When the original developer ignores or is actively hostile towards these users, you're saying that they have no right to be upset about it? That's what I find ridiculous.
Yes, some people can be demanding and annoying, but that's true regardless if they're a paying customer, a contributor, or a "freeloader". The way you deal with this is by communicating and setting clear boundaries, not by alienating your user base.
I think you are digging in a little too hard here. If someone offers a capability that you don't have, and you build that into something you use, then saying that they should be ready for it to go away at any time and be happy to have had it, seems a little too much.
If there had never been an offer, they would not have built around it, and would have found another solution and, even if harder or more inconvenient, learned how to use that and built around that. Sure, no one is obligated to continue to provide them with the product, but saying that they are being unreasonable for expecting a little bit of warning time before having support pulled is a bit unrealistic.
I know we have done the metaphors to death already, but let's try another one: imagine if someone gave you a ride to work every day for years and one morning they didn't show up and you couldn't get in touch with them. You should have had a backup plan, and you shouldn't have depended on them, but it will take you a while to find a car and rearrange your schedule and learn how to drive or whatever you have to do, and all they had to do was notify you a month or two earlier that they wouldn't be able to do it anymore.
Metaphor I often see in FOSS. You are this hobby painter sitting every morning on Monmartre square in Paris, painting. It attracts people's eyes. They love your work and you become a sensation, going viral. Instagram influencers from around the world just need you in their picture, they say. You just shrug and paint. One day you got bored of Monmartre. Of pleasing the crowds. You want rest, a spot in nature to paint in peace. When the crowd learns, an angry oproar bursts out, and people demand you stick to your familiar spot, or else.
If the painter doesn't enjoy painting in public, then they should've picked a quiet spot in nature in the first place.
And yet, most people who do decide to share their work in public, directly or indirectly reap the rewards of it. They get exposure and recognition, which in turn opens many doors. I'm not saying that exposure alone puts food on the table, but it's certainly not entirely negative. Many people would envy to be in that position.
Your analogy is akin to any public figure enjoying their work, but not enjoying the attention. That certainly happens, but the attention, and all its negative aspects, comes with the territory. That attention might even be partly responsible for getting them to where they are. People in such line of work must learn to live with their choices. Not be surprised when their audience has certain demands and expectations, which may or may not be within reason.
And that's fine too. Someone else may or may not continue their work for the benefit of the community. They can be honest about it, and most people will be understanding and thankful for their work.
But that is not what happened in the case of MinIO, and many other projects. They deliberately removed features from the software, and made it more difficult to use. They prioritized working on their commercial product, and used the "community edition" as a marketing funnel for it. This is what I'm objecting to.
In any case, I've made my point clear, and don't like repeating myself. Cheers!
>Someone else may or may not continue their work for the benefit of the community.
Someone still can. They can't revoke the AGPL license of previous versions.
>They prioritized working on their commercial product
It's a company, not a non-profit. What else would you expect them to do?
I'm less understanding when a VC backed company does things like this, but many times its just a matter of "we were trying to make money by doing X. X is no longer working, so we're moving to Y".
I've also seen hostile mobs form when very small companies or individuals decide to start charging for things they used to give away for free, so it's not just that they are a VC backed company here.
Huh, even employment nowadays doesn't come with month or two notice from employers. And here some one giving things gratis need to issue notice lest you might be inconvenienced.
Do you actually want everyone to treat everyone else like employers treat their employees? I don't think that is as good of an argument as you think it is.
> The fact you're paying for their service doesn't buy you these rights either.
It certainly does. In the UK and many other countries (possibly not the US), as soon as you are paying for a good or service you are entitled that it is satisfactory quality, fit for purpose and as described. I think it's uncontentious that a meal at a restaurant that includes poo is not satisfactory quality. Businesses have less rights than consumers but this would still count. However, the restaurant is certainly free to refuse serving you at all (unless they're it's because of a protected characteristic e.g. because of your race or gender).
I'm not sure how much that affects your analogy since it was probably a bit too far removed from the original situation to be useful anyway.
No, it doesn't. Yes, there are general safety regulations in any country, but there are no hard rules as to what "satisfactory" or "fit for purpose" means.
My analogy was contrived to make a point. Of course serving actual feces is not "satisfactory". But I imagine that you can extrapolate my analogy into an infinite number of possibilities where someone who once enjoyed certain services or products can find them not "satisfactory" anymore. That is a commonplace situation in any marketplace, and it is perfectly valid for the person on the receiving end to be upset about it.
The one hole you can poke at my analogy, which I anticipated, is that there is (typically) no financial transaction between users and developers of free software. But my response to this is that a financial transaction is not a requirement for the social contract to be established with users of any product or service, regardless of its distribution or business model. Those users can still expect a certain level of service, and understandably so. This expectation exists whether the person is a customer or not.
A closer analogy might be a community kitchen, or garden. But it really makes no difference to my argument.
The free software philosophy is agnostic to how software is monetized. It's true that it is more difficult to do so than with proprietary software, but it's certainly not impossible. Many companies have been built and thrive on producing free software. The crucial thing, regardless of the business model, is to treat all your users with the same amount of respect, dedication, and honesty. The moment you stop doing that, don't be surprised when the community pushes back. That's on you, not on "entitled" users.
> No, it doesn't. Yes, there are general safety regulations in any country, but there are no hard rules as to what "satisfactory" or "fit for purpose" means.
There are not specific rules for every type of product in consumer law because that wouldn't be workable. Instead, you have to make your case in court, if it gets that far, that it doesn't meet that criteria. The judgements have to be made by squishy fallible humans, but it does happen; small claims courts rule on that sort of thing all the time. Your example would surely be found unsatisfactory.
So, yes, in the UK and other countries with a functioning political system, buying a product literally does buy you the right for satisfactory quality, and the right to get your money back if it isn't. That applies to everything from sandwiches to cars to email providers. (Again, that's only if you're a consumer. Protections are much weaker if you're purchasing as a business.)
I set a deliberately contrived example to illustrate why someone might be understandably upset when a service or product they've been enjoying degrades in quality, regardless of whether they paid for it or not, and the parallels that situation has with OSS rug pulls. Yet you've managed to make this about consumer protection laws, for some reason.
Since the conversation has derailed, and since I really don't have the patience to rehash everything I've already said in this thread, I'm out.
It's not contrived, it's just bad, unfit for the conversation at all. A meal at a restaurant is paid for, MiniIO is not. There's no room for "regardless whether they paid for it or not", the distinction is fundamental to the discussion. You don't get to decide it doesn't matter.
You can't complain that the neighbour who used to give you a handful of apples each day suddenly stops giving them to you, regardless of how dependent on them you've become. He did not "create an expectation", you did. He did not make you "dependent" on himself, you did.
> If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.
But MinIO didn't do any of that. They're still a 100% open-source project, with the proper license.
Truly strange analogy. 1) No restaurant is serving free food for years. 2) Serving poop will be really be very serious, legal issue even it was served for non-tippers.
Seems like the new definition of open source is not license, not code but What I need others must do for me
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with.
That has got to be the most fallacious analogy I've seen in a long time, and that's ignoring the fact that serving poop would get you in serious trouble in most jurisdictions. "False equivalence" barely covers it.
There is a basic social contract of not being an asshole to users of your product
Nope, nope...you win. Even more fallacious. Being an asshole to your users is a meme in OSS it's so common. Someone should tell that Linus guy about this 'social contract' he agreed to and signed that he's in violation of. /s
Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it.
You think there's a philosophy. Some other people here do. There is no consistent OSS philosophy. There wasn't back when Stallman was thinking "what should I call this thing that is Not Unix" and there isn't today. If that was remotely true we'd still be happily using GPLv2. Because at the end of the day there is what is written in the license, and then there is wishful thinking. Sometimes wishful thinking results in nice things, and sometimes...well...here we are.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start.
Ignoring the laugh-out-loud silliness of "you should pick all these things about your startup day #1 and NEVER CHANGE THEM", exactly what terms of their OSS license did they violate? Be explicit. Don't wave your hand and say "but social contract that doesn't exist!", "but philosophy I made up and want to apply to people who didn't agree to it!". Because a license only means what's written down in it, not what we want it to mean. I get that you think there should be a "No assholes, we'll never, ever pivot to meet market changes and we pinky swear we won't rug pull on you" license that people should be forced to use, but I don't think to many people will sign up for it. See: GPLv2.
You're correct and the project isn't entitled to any good will or usage from the community either. So they get what they get, just like the community. Or you know, everyone can just give a shit about each other even if it's a bit more effort.
You seem more entitled to your opinion than others.
> That is their decision. Without any contract or promise, there is no obligation to anybody.
Not everything is legally enforced. Open source is a social phenomenon. Why are you so surprised that these social rules are being enforced socially?
There are obligations... it's how society functions.
> I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
I really don't get this entitlement. You expect that nobody should follow any social contracts and I'm sure are always surprised when people call you out for being asocial.
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
> I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free.
Does it make you less frustrated to remember that humans are pattern recognition machines and our existence is essentially recognising and adapting to patterns, and so when someone does something repeatedly - regardless of if they're doing it for free - humans will recognise a pattern and adapt to it.
This is an inevitable consequence of coexisting with humans: if someone does something repeatedly, it creates an expectation. This is how learning works. If someone stops doing something, people are going to mention the consequences of their expectation not being met. Framing that as entitlement doesn't seem productive, especially in situations like this where it looks like the change wasn't properly communicated.
I don't think there can be a world where humans are able to learn/adapt/be efficient whilst not having expectations.
I believe there could be a world where people don't get pejoratively labelled as entitled for expressing the inconvenience caused by having functionality removed.
No. There is no valid justification, and the suggestion otherwise suggests a lack of understanding of what exactly these rude individuals are demanding.
The very least people can do when receiving such quite extensive voluntary favors and dedication from others is to be polite and show proper gratitude and appreciation. Otherwise, they are not worth the personal and uncompensated sacrifice of time (a quite non-renewable reosurce) and personal health required for the support. They are not even worth the stress or brain cycles required for communication.
(Not saying there aren't plenty of people showing appreciation - otherwise we would have given up on FOSS entirely a long time ago - just talking about those that don't)
> No. There is no valid justification, and the suggestion otherwise suggests a lack of understanding of what exactly these rude individuals are demanding.
Like I said, the fact that people are human, and that minios did a thing repeatedly, is why the expectation is there. Saying it's not justified is like saying the sky isn't justified being blue, getting upset and frustrated about it is even more silly.
There's no need for people to be rude, I agree, but I don't really see any people being disproportionately rude in their comments, especially in the context of a provider who pulled part of their provisions without fair warning.
They are also, by complaining, incentivizing other people to not even offer free services in the future. Why set yourself up for accusations that you're 'breaking your social contract' or whatnot?
Why not talk about other parts of coexisting with humans? Parasitical relationships, having to learn and adapt, communicating your needs instead of making assumptions, etc.?
> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.
If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.
Is it malicious? I don't know. I prefer to believe in Hanlon's razor.
Is it irresponsible? 100% yes.
It’s irresponsible to use open source software, be it a docker image or the application itself, if you’re not willing to maintain it or replace it yourself at short notice if what the maintainer is willing to do/publish no longer meets your needs.
Don’t like it? Stop being a parasite and pay someone for a support contract.
It is also not irresponsible, or a rug pull. The project is still available, free, and widely packaged as it always has been, just one redundant source removed.
I don't get why one they would provide prebuilt binaries in the first place, and removing them is just cleanup.
> Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company
so its a communications issue? if minio or whoever explains this, OK. that's not what happened, so it's not what happened.
If it were for a feature request, it would feel more justified. People feeling entitled to making feature requests is one thing. Like they can get fucked. Contribute code or pay me. But if I let something loose out into the world that suddenly started causing problems because someone discovered you could stab people with it, I'd be going around making sure all of the copies I gave out it had a knife guard put in place.
We're not going around making kitchen knives illegal. I would go out of my way to mitigate footguns where an entirely legitimate use or legitimate source of confusion would turn foul, but if you chose to go out of your way to misuse it as a hammer or ignore documentation, then you're on your own.
In this case, we're not even talking about that though, it's just a redundant prebuilt binary getting janked. I don't think it makes sense to provide prebuild binaries in the first place.
I don’t know much about the MinIO project specifically, but to me it seems to be a common misconception that just because a maintainer provides their software project under a permissive license (such as AGPL, MIT, etc.) would necessarily imply that they do this for particular ethical reasons, like caring about “the community” (whoever that is) or contributing something for the greater good.
In the end, it’s just software made available under specific terms. While I understand the inconvenience for users if things change, it feels like part of the disappointment might stem from one-sided expectations.
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)
- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
> if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it
Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.
> of course, if you run out of business or something bad happens to you, that's something else
Huh? So now everyone should let you know "it was out of their hands"? You have no idea how entitled you behave.
> There is some kind of implicit commitment.
No. That's just between your ears. It's putting fancy words on a feeling you have, not something that actually exists.
> what's the point of even providing pre-built Docker images if you expect people not to rely on them?
How do you know they had that expectation? And why do you care?
> This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
You are excusing yourself for these commenters that behave like spoiled children: not thankful for what they got for free, but only bitching when it stops.
Hey, tone down, please. Also, have you, for some reason, totally missed the first point in my comment?
> Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.
Fully addressed in the "if you can help it" part of my comment.
> You have no idea how entitled you behave.
I have 100% idea how entitled I behave. I don't at all. I don't use MinIO. As an employee, I push internally for relying on our own infra (but we are quite good at this already).
I don't expect open source projects to provide binaries. Well, I kinda do if they've been doing it though. Expectations vs entitlement? Not the same thing.
We're discussing human interactions and expectations here.
---
So, in your opinion, what's the point of providing pre-built binaries if you don't want others to be able to rely on them then?
As someone who develops free software in my hobbies and also as an employee, if I provide binaries for free, I 100% expect people to be able to rely on them, or I just don't do it, and I would 100% feel like I'd be causing them issues by stopping doing it on short notice. I would feel like I'd owe them explanations (and their can be valid ones I'm sure - burn out would be a hell of a valid explanation to stop working on the projects at all) if I did that. They'd not be entitled to receive the binaries from me, but they would expect it and breaking expectations is not very nice. I have difficulties seeing this another way to be honest.
Let's also recall that we are talking about a project who's business might have benefited from the adoption in the first place.
> why do you care?
I could care about nothing, but that's not what I'm on HN for. I'm curious and interested.
If you were relying on their pre-built binaries, you presumably still have them. It's not like they went and deleted them off of your computer. They're just not giving you new pre-built binaries (but they're still giving you new code for free! And others pre-build binaries for free anyway). Do the old ones stop working at some point?
Note that a CVE is not an indication that something doesn't work. In the real world, they're mostly relevant only for businesses that need something like PCI compliance. Especially for something like a storage server that shouldn't be directly exposed to the Internet. If you are a business that has some compliance obligation, you have no one to blame but yourself if you rely on others' charity to meet that obligation.
Existing binaries don't stop working, but adapting your infra to get the update can take some time.
Without other elements, it's definitely not nice to stop releasing the binaries out of the blue, especially for a security fix. To me it's purely a question of breaking expectations you've built yourself (I don't mean entitlement, I mean expectations).
Now, it's indeed not the end of the world, and:
> you have no one to blame but yourself if you rely on others' charity to meet that obligation
100% agree with you on this (that's my first point in my original comment).
> To me it's purely a question of breaking expectations you've built yourself (I don't mean entitlement, I mean expectations).
Let me stop you right there. MiniIO never promised to provide docker images for free forever, have they? So where does this "expectation" come from?
If thou are pained by any external thing, it is not the thing that disturbs thee, but thine own judgment about it. And it is in thy power to wipe out this judgment now. (Marcus Aurelius, quoted in Beck, 1976, p. 263)
...It's you who has built the expectation, not MiniIO, for it exists only in your mind.
I hope you do realize that most of your knowledge on how (y)our world works is, for a big part, based on implicit expectations that you or others infer from past observations.
> ...It's you who has built the expectation, not MiniIO, for it exists only in your mind.
The MinIO team understands very well that they have made everybody "build this expectation [each] in [our] mind[s]". They wouldn't have felt the need to write any announcement that they would stop distributing the binaries otherwise.
> for free forever
This is an exaggeration that grossly misrepresents what I'm saying, and without which your point becomes very weak.
You have two choices here:
(a) acknowledging how your fellow human beings build expectations and, harmed with this critical insight, leave in peace, or
(b) sticking your head in the sand.
I highly recommend the former, especially if you don't want to look like a Vogon.
I'll go further: if someone has been releasing a binary for each version of their software, without specific announcement, it would be unreasonable not to expect a binary for the next version. There's absolutely no reason to think things will be different and the binary won't be there.
Recently switched from bitnami to minio here, with plenty heads up & they scheduled brown outs etc, along with legacy images to fallback on for users who don't get informed by anything until image gone
This is also becoming a trend with open source projects turning into source available projects with obscure and hidden ways to deploy them to prevent average users from running the software in their homelabs etc.
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
Rant about the concept of open source freeloaders: there's no such thing as open source freeloaders. If the license explicitly gives you the right to use the stuff for free, there's nothing wrong in using this right. While it would be the right thing to give money / otherwise support the projects you rely on, it's on the software developers who decide to give these rights (I also think it's the right thing to do though) to figure out the business model.
There's also nothing wrong in being upset about something you relied on disappearing overnight. If someone decides to provide something for free, they should give time for people to stop relying on this free stuff if they can.
However, I also believe you should own it if you decide to ever rely on prebuilt Docker images. More specifically, if you are relying on prebuilt Docker images, you are letting someone else decide on a part of your infra. And yes, this someone else can decide to stop providing this part of your infra overnight. This is on you.
I also don't find anything wrong in deciding to not provide binaries for your open source project, or to stop providing binaries, including docker images.
> One who does not contribute or pay appropriately; one who gets a free ride, etc. without paying a fair share.
Which I believe is a bit more generic (giving back might not be the only way of being fair).
> You may think of that term negatively
But the term carries a negative judgement, what's the point of this term otherwise? Without the judgemental part, you'd just say "using for free" or something.
The whole question is: is it fair to use open source software for free?
And I believe it is. Actually, this is stronger than this: I believe people should feel free to use free software for free, and should not be looked down for doing so. This is key for freedom 0 to be an actual thing. (I'm not set in stone in this position and would be happy change my mind on this though).
The notion of "giving back" can be discussed. I believe it is fair to get stuff from Person A for free and then helping B for free (later or earlier), in the hope that some person P will eventually help / have helped Person A for free for instance - this has the potential to provide everyone with a strong, helpful society and it would be even more enjoyable and reliable than a society that enforces pair to pair transactions.
Indeed, if someone always takes stuff for free and never contributes to anything, I would find this unfair (unless for some reason they can't contribute back, because of a disability or something). I would call this freeloading. Society cannot work like this. But you need the bigger picture to assess this.
When you start to try thinking about all this, the concepts of giving back, fairness, etc, it gets quite complicated. You also need to take in account the way society and the economical system works as a whole. What are the incentives, the motives, etc?
Basically, qualifying someone as a "open source freeloader" without context just because they use freedom 0 without paying is quite bold and might not be fair.
What if a company uses MinIO for free but provides some nice open source software?
What a weird take. Open source projects exist to be used. If you didn't want people to use it, it wouldn't be open source. As such the users are doing exactly what the creator wants: using their product. This helps the creator in many different ways.
Of course many creators are selfish. Once they have benefitted from everyone using their project they think: we want more. Then the rugpulls start. They think they no longer need their users, so now they can abuse them for additional profit.
Indeed, it feels like most people today treat open source as a placeholder for "work I don't have to do myself" and then get confused/upset when the project and their own interests no longer align and requires effort to bridge that gap in alignment.
Coolify is already doing it but your comment is on the verge of being passive agressive. I wouldn't say these are open source freeloaders because they could be using things like watchtowers etc. which automatically update and it could be a very huge deal for automated updates especially after I saw that some recent CVE of minio happened.
Simply put this just hurts the security of people running minio, I wouldn't say its freeloading, its actively harming the community. There are people in that thread who are paid customers as well saying that they lost a customer. I wouldn't say its freeloading. Minio already has some custom license or paid offering and I think that they make decent enough money out of it, providing docker files and then stopping to is kinda a shitty behaviour if they are unable to explain the reasons exactly why. I couldn't find the exact reasons on why they are doing what they are doing except making it hard for people to self host.
It also inconveniences people who aren't freeloaders - or are you forgetting about the community?
People submitting PRs aren't freeloaders: they are building the product for you. People filing bug reports aren't freeloaders: they are helping you solve the bugs in your code. People writing blog posts about setting up MinIO aren't freeloaders: they are writing documentation for you. People holding talks about it at conferences aren't freeloaders: they are essentially doing free marketing for you. Even someone leaving a "thumbs up" on a Github issue isn't a freeloader anymore!
MinIO is also screwing over those active contributors, who are volunteering their time to improve the value of MinIO's product. That's not just "no longer helping freeloaders", that is "actively hurting the community".
Besides, I'm sure the community has plenty of people who would be more than happy to volunteer time to build Docker images. Do you really think MinIO is going to let them publish it under the official "minio/minio" name so the community can still benefit from it without MinIO having to "support freeloaders", or do you think there could be an ulterior motive behind nuking the image - such as pushing people to the paid version?
MinIO is not actually open source, their source code is just public.
The company I work at spun up a MinIO instance, and we got hounded by MinIO lawyers claiming we had to pay because "hosting MinIO alters the source because of injecting configuration" and therefore violates their open source license.
There have been multiple hacker news threads about this:
> It's an Open Source project - I don't understand what people are complaining about
MinIO is a commercial company that provides some open source components and some paid components and services.
This meme where nobody is allowed to be unhappy with anything when the phrase “open source” is involved is getting old. In the span of two paragraphs your comment discovered why this is frustrating people: They have been providing certain things in the open source leg of their operation and then yanking them and stuffing them under a very expensive commercial leg later, after people have begun using them.
Being upset about that is reasonable and understandable, even if it triggers some of the people who believe “open source” means nobody is allowed to be unhappy with anything, ever.
Company makes Open Source. Open Source community enbraces it, helps it to become the defacto standard.
Company does a rug pull because they are unable to make a proper business out of it and leaves the community hanging dry.
Removing the container image build step, which was ALREADY THERE, and doing this internaly only, is the gatekeeping they are now doing.
Its like 0 effort to provide these images.
And yes pricing pages like this is always the same: You don't get any deal below 1k / month minimum because they have some pre-sales people and a payment pipeline which doesn't work for anything small or startup like.
Somehow i don't get MinIO anyway. They got over 100 Million of investment for an S3 system. Its basically a done product. Its also a typical 'invest once build it once, keep it running' thing which can easily be replicated with a little bit of investment from other companies.
I have no clue how they ever got valued over 100 Million.
I love it when entitled folks both expect to use someone else's work AND immediately downplay someone else's effort (no, I am not affiliated with Min.IO, just saying if you are scared of building a docker image yourself, maybe you should not downplay someone else's effort).
I'm not scared at all and could care less about building the image myself.
I'm also not 'entitled' because i'm doing this for another open source project we are now maintaining.
Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.
There is a difference between having the official Min.IO image with a stamp of approval vs. forked repos with their version of the same image. The only thing fixing this kind of issue is a fingerprint and build caches.
They are removing the official container images because 1. this is the magic source of running your software in helm charts etc. so now you need to act 2. in some companies you are not allowed to use random container images
And you are complelty ignoring my arguments. Its not entitlement if a companies product becomes the industry standard due to Open Source and then doing a rug pull like this.
> Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.
Wrong - it would be less secure if they did not share the source code and the Dockerfile along that too. As long as you take care to regularly update, where is the problem?
So just to be clear, they publish the docker image, they have an Github action which is basically free for them to build and release it into a free registry but they don't do it.
So i setup everything to do this on my github with their code and publish it on my package.
And you don't think this is stupid?
The problem is the critisim how they act and even if they release everything and its just building the image, you can't trust another source to upload the image someone else has build with this file. So now everyone has to build the same image.
The scenario you described is mainly just benefiting you. Whether Min.IO loses or wins something based on this decision, will remain to be seen. In either case they don't owe it either to me or to you to provide a built image, especially as they continue to provide the source, including the Dockerfile. In either case if in your setup you are not able to rebuild an image off of a Dockerfile, your setup is worth rethinking. Not to mention that on the security side, it's quite irresponsible to depend on an image from a public repo, without at least pulling it through an internal artifact management system with vulnerability scanning.
It's legit. Just gives people the impression that it is sabotaging the community. I understand why they do it (the more inconvenience the more likely people are gonna pay), but wish companies are more thoughtful on open sourcing code and how to differentiate enterprise offerings at the beginning, rather than playing tricks after gaining tractions.
They are entitled to stop building docker images. Their users are entitled to get salty and go find alternative products.
If that is Minio’s expectation, then all is good, but it seems kinda counterproductive? I never liked minio, but I certainly wouldn’t use it after seeing them remove features.
They removed the admin UI from the web frontend in the f/oss version some months ago, too. I updated for security reasons and they'd stripped the functionality out. It's a jerk move.
>I certainly wouldn’t use it after seeing them remove features.
All sorts of projects remove features all the time though, even the linux kernel drops support for hardware that may or may not be in use somewhere
>Their users are entitled to get salty and go find alternative products.
People are entitled to feeling things of course, others will only point out that it may not be justified and that the user is liable to get hurt again if they never adjust their expectations to meet reality
I think (and I suspect many users would agree) that there is a big difference between "we are removing some unmaintained drivers for a piece of hardware which almost no one is using" and "we are removing a tentpole feature from the 'open-source' version of our application and making it exclusive to the paid edition".
Certainly, there are some pretty entitled people on that github issue.
But this attitude is too far the other way. Fair enough, you are under no obligation to continue providing a free service. But isn't it fair to give a bit of notice before withdrawing it? Especially after doing it so consistently for so long. Not legally required, sure, but polite.
They haven't even given notice after withdrawing it! They just waited for someone to realise and ask about it.
Bear in mind that many paid for services, on a subscription basis, technically allow the seller to change (i.e. reduce!) the service at any time. If they act in bad faith to their free tier, what should you expect about their paid tiers? You could argue you also shouldn't be using paid services that could behave that way but I think you'd struggle not to.
I agree with what you said, but I think “courteous” might be a better word than “fair”. Whatever word you use, I take it as a sign that unpaid use isn’t as welcome as I thought.
> I don't understand what people are complaining about. Noone is entitled to receive free Docker images.
Every time I read something like this, I recall this post from Rich Hickey[1][2] on why no one is entitled to benefit from another human being's goodwill and time.
From the post:
> The only people entitled to say how open source 'ought' to work are people who run projects, and the scope of their entitlement extends only to their own projects.
> Just because someone open sources something does not imply they owe the world a change in their status, focus and effort, e.g. from inventor to community manager.
But not everything can be "fair game" when providing a service for free. Surely it wouldn't have been OK if they suddenly included a bitcoin miner or extracted credentials. They offered a free service, people trusted it, depended on it. Now, in my view, they have some responsibilty to their users.
Giving a notice in advance and releasing a final image that patched the CVE would've been reasonably responsible.
Years ago I worked in customer service. There was this guy who came in to to motivate us. He talked about the work of someone named Bob Farrell who had a chain of ice cream shops and sold burgers. He had received a letter from a disappointed customer. The customer had been given the extra pickles on his burgers for years and now one of Bob's employees told him he now had to pay extra for it. The customer said he'd never come back. Bob could have said "what an entitled idiot" and kept charging for pickles but he took that letter as a calling for how you should treat customers - just give 'em the pickle. It costs you next to nothing to give the customer the pickle and it makes them happy.
Minio doesn't have to give non-paying users anything, but the story still applies. Give them the pickle. It costs nothing in the grand scheme of things, and if it does, ask for donations like any open source project would do to cover your costs. But as others have pointed out, Minio is not an open source company, they are a commercial company that has source available.
> Minio doesn't have to give non-paying users anything, but the story still applies.
How on earth does it apply when your complete example story relies on the satisfaction of the paying customers. If you're not paying, you're not a customer - you're a user.
> If you're not paying, you're not a customer - you're a user.
This doesn't work with open-source projects: someone can still provide a lot of value to you without explicitly paying for it. If a community member volunteers a lot of their time to contribute code or provide support to other users, then you probably shouldn't piss them off either.
They/we certainly do (we are using MinIO as well). But they are NOT paying customer, nor do they pay something back (at least most of us dont), so they should not really feel entitled to the "value" that they were getting for free.
> I don't understand what people are complaining about
Talk is cheap. People will complain about something they’re not legally entitled to because there’s no downside, only an upside if the company backtracks.
In the background they are probably creating tickets to mitigate the risk if the complaining doesn’t work. It’s perfectly rational.
I don’t understand the people who don’t understand this.
1. The MinIO image on Docker Hub has more than a billion downloads [^0]. With those download counts, people have almost certainly written scripts that rely on this image existing (including their own Dockerfile! [^1]). Them leaving these images around is just asking for security breaches later down the line.
1b. While, yes, no-one's entitled to freely-available container images, it cost them almost nothing to maintain their existing toolchain for this. Them deciding to pull the plug is purely and entirely a money grab (and a dumb one, if you ask me; look at how the community responded with OpenTofu when Terraform when BUSL).
2. Fortunately, MinIO is a Golang app and can be built with a simple "go install" (though the build instructions in their docs don't align with the build recipe in their Makefile [^2]). However, they could pull a Tesla and make the source that they publish differ from the source that their binaries are built from.
3. They gave NO notice. That's the slimiest part of all of this. Tens of thousands of Kubernetes clusters, and handfuls of enterprise products, run or package MinIO that are now using images that will no longer be updated. All of these people will need to completely change their toolchains to account for that, and soon. That's just not a kind thing to do.
"It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. "
While this is true, in all of these discussions, somewhere the notion of responsibility often gets lost.
If you publish a project, encourage people to use it, promote it heavily, etc, then get lots of users, and then decide to kill it, while it's true you legally owe nobody anything, it's sort of crazy to claim people are acting entitled when they complain.
After all, you encouraged people to use it and promoted it!
Again, do you legally owe them anything? Nope.
I am much more empathetic towards those who get surprised by the growth of their projects, or otherwise didn't try to make their project popular and decide to quit when it becomes too large too quickly and becomes a burden.
In general, if you try to encourage lots of people to use or do something and succeed at that, you end up with various forms of social responsibility to those people. That's true in most things, not just open source.
Open source does not get a pass at this social reality simply because, as a legal reality, those users are not owed anything.
You don't understand, or don't agree with the complaints. Those are two different things, and I suspect you understand why people are complaining and instead disagree with the complaints.
People are complaining because something was available, they adopted it, then it was discontinued. Apparently with little warning, and after they'd been encouraged to adopt it by the provider of the images.
As it happens, I agree with the general idea that if folks are not paying for the convenience of builds, then it's on them to work from source. However, it's better IMO if a vendor or project start from that position rather than what's seen as a rug-pull.
Of course, it's part of the playbook: when something is new and not widely adopted, the vendor goes to great effort to encourage adoption -- then the vendor starts looking at the paid vs. free usage and sees "huh, we have a 10000:1 ratio of paid to free users, including ten megacorps that show up grabbing binaries every 10 minutes for their CI/CD farm, and asking questions in our forums, but aren't paying a penny toward development and our investors are getting pissy."
Exactly. looked up their github to see what the big issue was about and they still provide the full source + the Dockerfile. It's not a huge issue that it is being made into. Does no-one know how to build a Docker image any more?
Or one can just use old images. Which is what many people started doing after their other fuckup - removing perfectly working web UI from free version.
They just can't stop shooting themselves in the foot that didn't even heal from last time.
The last tag with a working web UI is RELEASE.2025-04-22T22-12-26Z btw.
Yeah. They also created a open source test suite for S3 clones.
This is a set of unofficial Amazon AWS S3 compatibility tests, that can be useful to people implementing software that exposes an S3-like API. The tests use the Boto2 and Boto3 libraries.
Oh heh, a trip down the memory lane. I wrote the initial version of that, in an era where AWS docs did not match observed S3 behavior. The only way to make an S3-compatible API was to create a suite of over-the-network tests to run against both AWS S3 and radosgw.
We also had a little grammar-based fuzzer for S3 requests (really, any HTTP), but over the last 10+ years I've lost track of what happened to that code. That found some incompatibilities with allowed character sets etc too.
Can vouch for it as an adequate self-hostable option. It has some missing features, compared to Minio, and is less compatible but works for most applications.
Garage worked for most of my use-cases but it lacks, among other endpoints[0], bucket ACLs and bucket replication. Anonymous access is also an open issue[1].
They are also a comparatively young project and while fully OSS do not, afaik, appear to have a solid long term funding source yet. Though that might be an opportunity to support them, if your company is interested in picking them.
Garage should support partial content seeking via its HTTP interface, if it is S3 API compatible which includes support for range requests/206 Partial Content response.
The title of the HN submission might look a bit misleading. It's easy to misinterpret it and think MinIO stops being open source (which would be a bigger deal IMHO).
I think this would be better: "MinIO stops distributing free Docker images"
If anyone is wondering, the Dockerfile for this repo (thanks for sharing!) basically just copies the binary in, it is a 19 line dockerfile.
I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself.
>I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself
I don't. It's automated, it needs approximately zero attention. This is just a company that got where it was benefitting from open source taking the free toys away thinking there'll be profit in it.
I've spent a lot of time trying to get pytorch working inside docker against cuda. That's a big challenge even just on one architecture. It isn't as simple as you make it to be and they have to determine how they allocate resources so they can pay people. I'm still grateful for this project and would rather they dice focus on functionally than packaging.
Curious how you handle legal reviews by your customers' shipping AGPL licensed software? We've had a lot of pushback from legal even on licenses like MPL
What makes me sad is that, as mentioned in other threads, this destruction in reputation could've totally been avoidable. If MinIO had took the time to give out warnings months in advance and help community members (or even other companies) to host the Docker builds somewhere else, there would've be close to none backlash. Yet they've decided to make it such an abrupt transition and especially when a CVE is involved.
1. MinIO is a business and they don't owe anything to anyone for free.
2. People using the OSS version also are free to express their dissatisfaction.
This is not contract law though. This is about using OSS as a marketing gimmick to get mindshare, penetrate the market and then do a bait and switch.
From one hand, it is within their right to do whatever they want as marketing.
From the other hand, we as the community should be more aware of OSS as marketing vs OSS as we would like to see it.
There is a damage to the community however: this erodes trust in OSS companies, so just like "content marketing" or "influencers" or any other type of marketing, after a while it loses its effectiveness, to the detriment of real "content", real "influence" and real "OSS".
People should understand from the outset that open source contributions from for-profit companies must benefit that company.
For VC-backed companies -- or anything else where it's spend now, profit later -- the bait-and-switch is practically inevitable.
(Or, of course, the company can simply stop contributing, either from going out-of-business, or pivoting, or being acquired, etc.)
If you're considering building long term on oss from a for-profit company you should count on having to pay in the future. You should believe you have a decent understanding of their business model so you have an idea of how much you might need to pay. Of course that's usually very difficult for VC-backed "spend now, pay later" companies, so you might be best off avoiding them for anything long-term or foundational unless you think you can bear to switch, possibly on short notice.
I generally agree with your point. Over the years of being responsible for technology stack choices, I've come to apply one rule of thumb on OSS projects: is the project a core competency of the company behind it or not. For example, Github might open source their language detection library or Shopify might open source some frontend development project. These are not core competencies of Github or Shopify. Their business is somewhere else.
However, if I start a business and open source my core competency, with or without VC money, I will have to turn a profit or die, which leads to such outcomes, from MinIO to Hashicorp.
I agree with all the points you make. Just adding a detail to the following bit:
> 1. MinIO is a business and they don't owe anything to anyone for free.
I don't think MinIO discontinuing the free docker image is really the problem here. Creating and distributing such images cost them practically nothing - either in infrastructure costs or in HR costs. If they find it that difficult, they only need to say it. Either the community or another company will gladly take it up for free. Even other cloud projects have alternative distributions like Bitnami builds.
The real issue is the pattern of behavior that this move exposes. They seem to have removed the web UI from the community edition claiming that it's hard to maintain (another thing the community would have gladly taken up if they were informed). They also stopped updating the community documentation. And these largely escaped attention until the docker build was discontinued. That itself is controversial since much effort wasn't spent in letting the users know that their current image was going to suffer bitrot indefinitely. Apparently there was also a CVE which was fixed in the source. They didn't consider it necessary to at least push the fixed container as a final measure.
All these are certainly hostile and unkind towards the community and it's bordering on dishonesty. They didn't lie. But neither did they do the bare minimum expected when taking such a drastic measure. It's clear that they're withdrawing their generosity for more profits after gaining a lot of mindshare with their earlier offering. I don't believe that the docker image alone would have inflamed the community so much.
We're working on a binary build process now. We hope to have something up at https://github.com/golithus soon.
We use MinIO (community edition) a fair amount. And while we like it, it is also becoming increasingly clear that our days of deploying are numbered.
We want to start experimenting with Garage for smaller deployments, and would be interesting to hear of any production experiences there. (Anyone done multi-PiB deployments?)
Other than that we're going to start looking at Ceph/Rook for larger deployments.
garage devs have told me of 10PiB+ deployments in production, but I've never operated one at that scale so I can't share much insight into the experience. Probably best to ask on their matrix chat.
I don't think this is really a big deal. Plenty of others already maintain public OCI images of Minio (Bitnami is one example). So long as that's the case, there are options. I'm not familiar with Minio's licensing terms, so maybe they can put an end to that practice if they want to, but I suspect there are drop-in replacements other than the official Minio Docker Hub image.
What Minio is doing wrong here is thinking too highly of themselves. Their product is a fine implementation of S3-compatible object storage. It has some features that make it attractive for selfhosting. It's far from the only solution, though. The harder they make it to use, the more people are going to switch to easier alternatives.
A lot of companies try to lock down their popular open source/free products once they have a large market share. It always backfires.
Hashicorp did this. There's no reason to use Terraform anymore; OpenTofu is a drop-in replacement that is just as good for almost everyone, and all the community support will shift to it such that it will inevitably be far superior to Terraform.
Redis became Valkey. MySQL became MariaDB. OwnCloud became Nextcloud.
There are countless examples. Yeah, the commercial entities continue to exist. For companies that need support and contracts, there will still be a market. But they are destroying their pipeline for new customers. Why would anyone use a closed commercial project with no community contribution when there's a free, open source option that's either a 100% compatible drop-in replacement or a low-effort pivot to a functionally-equivalent solution without vendor lock-in and burdensome restrictions?
Minio is shooting themselves in the foot. Most people don't give a crap what's backing their object storage, so long as it works.
Yeah, I saw that recently. linuxserver.io bundles a lot of apps into OCI images, and I use many of theirs because they tend to be better-designed than official ones—or at least more consistent.
And while some people might be intimidated by it, it's not a huge lift to make your own images. I don't mean to trivialize it, because it's at best inconvenient, and can be challenging. In many cases it's only a few minutes of work to bundle something up. LLMs are great at this. For a Golang app like Minio, it's a piece of cake, since you don't have to install a zillion dependencies manually.
Really easy, I made a script to build bitnami images from a command line menu and push it to your dockerhub. It also detects changes in versions and you can rebuild and push again.
Looking at the change to the README last week[1], it looks like MinIO went from "MinIO has no planned or scheduled releases for this repository" and "
While a new release may be cut at any time, there is no timeline for when a subsequent release may occur." to "The MinIO community edition is now distributed as source code only".
Based on promises alone, I think that means they un-dropped the open source project but still only distribute the binaries to their customers.
It's absolutely stunning that people actually defend this behaviour!
The community is having an outrage - and rightfully so - about a silently discontinued artifact delivery at a very critical time.
Which is their opinion and every human being is entitled to have their own opinion and state it openly.
It is also perfectly fine to expect a standardised behaviour to continue.
However, what is most important is that is perfectly fine to shame an open source product for pulling features and money grabbing people after years of gathering community and locking them in.
I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
You are a farmer, not a big fancy profitable one. Your tractor is from 1970 and works great, when it works. Your wife has health problems and can't really help out around the farm much - kids have gone off - so you just do things mostly by yourself. With your lucky dog Skip by your side. Even though times are tough and money ain't coming in like it used to - you still give free produce to the local schools and shelters. You've been doing it for over 20 years, and the community loves you for it.
But then your wife passes. Medical bills are too high. You can't give away free produce to the local schools anymore.
The community is outraged. They come to your farm with pitchforks. They set your barn and fields on fire.
> I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
Not very much at all. It looks like they're hosting on Docker Hub which doesn't charge for bandwidth. I could create a pro account for $11/month and be able to serve an image billions of times. The compute to build an image is small enough that it can be done at whim on a dev machine.
But when you plug in the numbers: that the farmer raised $126 million, and hosting unlimited Docker Hub pulls costs $11/month, it doesn't quite feel the same.
It's more like the farmer was giving leftovers for free to schools and it was so good that it made him famous. People from all over the country came in, including businessmen who told the farmer he is missing out and should be charging more for his food.
He started a restaurant chain but, the businessmen went further and said that a quality product cannot be given away for free and made him stop supporting schools and shelters which got him rich and famous in the first place. Even tho, he was just handing over leftovers (it cost around USD 100 to host a docker image - yearly)
Think EA, Microsoft and Xbox, Broadcom and bitnami.
I don't understand the point. The entire raison d'être of this project is that you self-host it and don't pay money for S3 and control your supply chain.
If you are denied this possibility — it is much easier just to use S3.
Ceph is an open source project run by a foundation. Minio is a company backed by VCs looking for a return. There is also seaweedfs, powerscale, openstack swift and hyperstore. The S3 compatible space is crowded.
Curious about one thing - does Ceph's s3 compatible api support oidc based auth? We used to use this with minio before switching to aws s3 and using presigned URLs.
As a user of Ceph it does feel like a truly open source project. Redhat/IBM do sponsor a lot of work on the project but there are lots of other contributors. I have contributed maybe a dozen changes myself and it was quite easy to do and the maintainers are fairly responsive.
I haven't used minio in years, and when I did I only fiddled around with it, but my recollection of it is that it's about the simplest build chain imaginable. Install modern golang, build minio, get single binary.
Anyone relying on an opensource tool like minio, needs to look at:
* organization supporting it
* the license
* the build chain
* who else uses it?
* the distribution artifact needed for production.
Once you've looked at that you can decide "is this an anchor I want to handcuff myself to and hope the anchor won't jump into the icy blue deep taking me and my dreams with it?"
If the org behind it ever decides to rugpull/elastic you, what're you gonna do? At least with something like minio, if they're still distributing the source it's trivial to build (and if you can't build it you should evaluate if you're in a position to rely on it).
Let's look at other cool open source things like SigNoz which distribute only docker artifacts (as far as I remember, anyhow) -- if they were to rugpull that people relying on it would be totally lost at sea.
This isn't to say that this isn't poor behavior on minio's part, but I feel like they've been signaling us for a while that they're looking to repay their VC patrons.
They have also removed the web UI and stopped updating the documentation for the community edition. The former is not extremely serious as the community can easily replace it. The latter is arguably the worst among all the changes that we know of. While they do redirect community documentation towards its enterprise counterpart, it's becoming clear that the differences in the community edition won't be addressed at all. That will make MinIO community edition less viable over time.
Overall, it's pretty clear that they don't view the OSS users kindly or want them around. I'm pretty sure that they would drop the entire community edition if they could do so legally and without much fuzz. You can expect more like this in the future. So this story shouldn't be seen simply as the loss of a docker image.
Right -- I think it's quite clear that if you're relying on the free minio you need to look elsewhere or peer up with some others and fork it.
And any adoption of a critical piece of software needs to have a risk calculus associated with it of "what if they get bought by CA, invaded by Russia and murdered, murder their wife and go to jail, or dedicate their remaining time on earth to writing haiku?"
Both open source software and commercially supported software have risks and mitigations. I'd argue that you're actually safer with open source software since you can pick up and keep running it, but that's not a trivial undertaking.
> I'd argue that you're actually safer with open source software since you can pick up and keep running it, but that's not a trivial undertaking.
I agree with that. It's just that I find it very annoying that these companies turn against the OSS (user) community after they've gained enough market share by taking advantage of the community's trust and network. This discussion thread itself is full of people calling the users 'entitled'. That's some level of gaslighting! The real question is, how much would these projects have succeeded if they had started under the same terms as the ones they've now switched to? If the answer is 'not very much', then that means the community added significant value to the product, which these companies are now refusing to share and running away with. These companies are the entitled ones, besides being deceptive and dishonest.
The case with MinIO is not as egregious as the others we have seen - elastic, for example. MinIO is still under an open source license. But their decisions to let the community edition documentation rot and to remove the web ui make it very clear that they're trying to make the community edition as unviable as possible without having to take the heat for going all out proprietary or source available. Does this tactic seem familiar? This exactly what Google does with AOSP. Slowly remove and replace its OSS parts with proprietary software and gradually kill the project. Again, it's deceptive, dishonest and distasteful.
Both free software and open source software have a tradition of not excluding anybody from participating in the process, community and contributions. But looking at how much certain companies damage the trust and fracture the community for some extra profit, it might be a good idea to start asking if they should even be given the opportunity to do so.
Unfortunately yes. I have been looking at one of the well-known VPN infrastructure providers and they use "AI" on their website a bazillion times. Insane.
Hey Mike Donovan here. I work at Docker and help with the Docker Official Image (DOI) program. If you're interested in a DOI being created to support the MinIO community chime in here: https://github.com/minio/minio/discussions/21655
With docker build comes a whole slew of dependencies that you wouldn't have with official images. You need some place to host the image, or build on the servers you use for deployment, and cross platform compilation (i.e. ARM images) becomes an issue.
It'll take more time than just typing out a comment on HN to get all of that in play. Actually getting a docker registry of your own set up with auth and everything can easily take half an hour, and adding+testing periodic sync and compile steps in your CI/CD will take another couple of hours if you're not set up for it.
Hardly the end of the world, though. Reminds me of the infamous "why can't people on github just give me the .exe" reddit troll post.
The latest release is already available on ghcr and on dockerhub for amd and arm.
Well they have locked the discussion right now it seems but hope the community does something since my brother once asked for how to store audio and I thought that something like S3 could be perfect for it and wanted him to use minio or check it out.
Anyone including MinIO. So why did they stop doing it when it was so easy?
Especially because they haven't provided any reasoning for this decision, so everyone assumes the worst. I can't really think of any reason for this that puts them in a positive light either, can you?
I have a 160TB minio cluster running for 4+ years who had dealt beautifully with node outages, one drive failure and the occassional hiccups on the datacenter.
I was okay with not having support because I am not part of their customer base. I was okay with not having the webUI, though I wish they made an option where the webUI would be available for some basic-tier paid customers. But I can not be okay with this move. They are just giving the finger to all the community. They never tried to work out a solution that could let smaller users to contribute or support.
I will seriously have to consider moving to Hetzner object storage.
Right now, my problem is that I can not update my minio cluster because I do not know of any trustworthy docker image that I can use, and the version I am on is exposed to (at least) one known CVE.
Every time I used it for more than that I ran into performance and other concerns (like durability and consistency) pretty quickly. I cannot imagine how this is used seriously when there is something like Ceph available.
Turns out most file systems are horrible key-value stores.
>I cannot imagine how this is used seriously when there is something like Ceph available.
Adopting Ceph is adopting a Ceph engineer, any use-case with the need and funding to run Ceph on production would easily be able to pay for commercial licenses and/or contribute majorly to this or their own fork. They work in different ball-parks entirely
Yeah CI tests and local dev environments for code that runs against S3 in prod. Right now sifting through the alternatives for whatever is easiest to run as a container in Github actions or docker-compose...
I use it to test my tiny written-from-scratch S3 client in my server app. But then I already have it installed, it already works, and I don't care about updates.
Fun, I had just started using it as a the data store for a distributed Rust compilation cache, guess we're moving that somewhere else. Hopefully the choice of NixOS as our server OS will make this easier rather than harder.
What alternatives do people recommend that has at least similar features-set and at least similar performance as MinIO?
I imagine that this makes it much less viable for hobby use, or as a dependency for other open source projects, but setting up a private docker registry and building this image nightly isn’t onerous for any business
The fact that these things are happening at all is enough for us to shop for alternatives. MinIO will be completely gone as soon as we identify the best option and get it rolled out, which should be rather quickly.
If they were hoping to drive conversions to paying customers, they've done the opposite, at least with my employer.
You can't put 3 lines in a Dockerfile but will be "shopping for alternatives", "identifying the best option" and "get it rolled out"? Do you ever get anything done, "rather quickly"?
Their trend towards walking away from the community is a major red flag to me. If we're going to need to swap them out for an alternative at some point, better to get on it now than wait until we're forced to do so.
Boomers stuck behind the times, vendoring their dependencies and even looking at the code they compile. Get with the program already and just push another container!
> We initially explored a basic admin UI for the community branch but haven't actively maintained it. Building and supporting separate graphical consoles for the community and commercial branches is substantial. Honestly, it is hard to duplicate this work for the community branch. A whole team is involved in console development, including design, UX, front-end, back-end, and pen testing. This commit introduces an enhanced object browser but removes the unmaintained admin UI code.
They deleted the admin UI from the current version of the open-source side. It's time to pay the VCs, the project is being rug-pulled and they're going all in on the enterprise version.
I believe it's too early to judge public adoption. Let's see in a few years if it degrades somehow. For now, they jumped from 55,880 to 56,319 GitHub stars in one day.
From the product side, I don't see how this should affect new adopters who didn't read the hn post yesterday
Pure anecdata: the fact that this is happening at all has us (at work) looking for alternatives. Once we finalize on the best one we'll swap out MinIO permanently. I can't imagine we're the only ones, but who knows?
If you use this tech, perhaps you could explain what the real issue is behind dropping Docker? I mean, it's still AGPL licensed — why can't you use it from source?
In other words, what is the significant difference for your team that's worth changing the stack and navigating through the uncertainty of an alternative product?
Part of it is the trend of MinIO walking away from community customers. That to me is not a good sign, especially when it comes to project longevity. Do projects that do this kind of thing continue to flourish and thrive? I'm not sure that they do.
It's hard to feel good about remaining hitched to a horse that continues to send out red flags, especially when there are other good options out there for us.
Ease of setup and certified working solution. And yes, people should pay for certified working solution. But not when they use it the first time itself
However, I also understand that for any organization it is very painful to change their existing stack, thus I'm trying to understand what is gained between AGPL sources without Docker and switching technology to something different with Docker except 'ease of setup'.
A lot of small shops will find it easier to shift to a compatible S3 object storage which have their own docker compse scripts up and running than figure out how to build minio images successfully. Most products nowadays gives you ansible and docker scripts which can get you up and running inside an hour and then you can configure stuff later.
Building something on your own on the other hand is probably easily a half-time engineer just for build quality and dependency tracking.
Huge number of MinIO shops is one head node and 7 jbods in a single rack (giving you more thsn 10PB). And two such racks for redundancy and one offside rack for backup.
Not in this position, but obviously this might be the first of many measures taken. Next they could make the repository private. Code is only for customers, Red Hat style. It's not as popular as RHEL - a CentOS style effort is unlikely to materialize. Bug tracker and forums private. Lawyer letters about whether or not your usage is license compliant and a reminder that it would be expensive to prove it is, Oracle style.
Open source means what the license says it means. Expectations and conventions can be broken.
Most of people here put an equal sign between being open source and having Docker image.
For me open source is a license, and Docker is a distribution feature. From this prospective I can not understand how distributional channel and type of license are related, as code is still AGPL.
OK, have a look at GitHub contributors metric. 404 today, 405 yesterday.
Just to clarify, I'm not affiliated with or protecting MinIO, I don't know anything about this software. But it seems to me that there's some overreaction about Docker here, and in reality it is highly possible that this decision might not affect the product the way it's being discussed these days.
Are those active contributors or lifetime contributors? And don't those counts leave out anyone who doesn't have a github account or doesn't associate their got email with their github account?
I'm glad to have migrated to garage in time. This is quite unfortunate though as a lot of open source projects, like plane.so, used minio via container images for s3 with docker compose.
Minions has taken away the admin UI for everything except a bucket browser in one of the last releases.
And now they have stopped publishing updates to their community edition docker images.
As the linked GitHub issue points out this now means at least one vulnerability will be unpatched (unless you install from source or switch the image) for anyone relying on updates to the original container image.
My loss exactly was that minio lost most of its appeal when it stopped having an integrated management console. It also seemed they were moving into a direction where features were gonna be more separated off for their aistore products over the community edition (a fair move but not something I want to happen to my deployment).
I feel like this could be used till the time plane.so or other projects feel like they could migrate to garage or maybe just use these coollabsio minio docker image?
My problem was mostly that MinIO was not significantly better for my use-case then garage after the admin console was yanked. Thank you for the pointer though, I will take a look at this for my plane.so instance (using a private containerized minio there still).
While not notifying of the change earlier is annoying, I also don't see anywhere stated that they're obligated to provide services in addition to just providing me the source. Moreover the build-instructions don't seem complicated at all, anyone already extracting value from this should be capable of pulling the source and keep on running with it.
Maintaining docker builds isn’t that huge of a burden (and likely very useful for them too), and they’re delegating hosting to a third party… I don’t get what they’re trying to achieve here.
I am really interested in this case, as I cannot imagine any commercial benefit from this decision.
Free users will not pay tens/hundreds of thousands for just binary files.
Obviously this will slow down the adoption of the AGPL version, against which the growth of the paid version potentially will look better in Excel reports for VCs, but something tells me that this is unlikely to be the real reason.
It's not just binaries. The goal is probably to get freeloaders into the sales funnel where salespeople can work on them about the value of the entire enterprise package, especially security and support. Even if sales doesn't work on you it does work on a lot of people.
> Free users will not pay tens/hundreds of thousands for just binary files.
Sad to say but this isn't true. This is a failure to understand the pricing model of this kind of enterprise software.
What happens is the free version is used in some product somewhere. Then product's company gets acquired by HugeBigCo. Product company brain drain happens and HugeBigCo looks at poorly understood free software dependency as a liability. It's cheaper/better-on-the-balance-sheet to pay for a license and a support contract than to move off of that dependency or hire competent people to look after it...For a few years, anyway -- until that business unit is worth investing resources in.
That's how a company like Neo4j can charge a half-million bucks a year for one production cluster and get HugeBigCo as label that they can use to try to convince other companies that this pricing is even remotely reasonable.
Anything enterprise data-storage SaaS related is looking to charge at least a quarter-million a year.
On one hand, MinIO isn't obligated to anyone... on the other hand, there's a lot of people who now feel obligated to not use MinIO anymore. Given that MinIO won't patch their container images, are obligated in many cases. A Dockerfile that actually builds instead of copying binary blobs should be as simple as one that executes `go build`. So a fork that just adds that one step seems inevitable. Seems such a waste on many levels.
Lots of people in this thread keep repeating the idea that, "Nobody owes anybody anything".
Sure, just like nobody owes minio goodwill or business. People sour on these kinds of things because they feel sneaky and backhanded. It tells you something about the kind of people you're working with.
Imagine if a food kitchen suddenly started charging for the food, without notice. Or they started charging to use changing rooms in clothing stores. Etc, etc. You'd, rightly, expect a negative reaction, even if the "food kitchen doesn't owe anybody anything".
The biggest misstep in these situations is the corporations avoiding being honest and communicative about why the changes are suddenly necessary. We all know, intuitively, that in most cases its because it's not for a good reason. It's because they are greedy or otherwise feel pressured to show infinite growth.
It is unfortunate, but somewhere you need to draw the line, if you are planning to stop releases. If they fix this, how about the next? Why fix this one but not the next CVE? Is the reaction same next time and they end up fixing endlessly?
IMO they should've waited at least a month after updating their README. The timeline is rather short.
It'll be hard to convince people to buy their commercial offering after pulling something like this.
On the other hand, they did the work for free, so it's up to them to decide when to stop doing that. Plus, anyone can fork the repo and maintain their own version with fixes and docker images and everything.
I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.
What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.
> Leaving a known unsafe version as the last release is irresponsible.
I think they should have done a better job of announcing this ahead of time (or at all, really); but there's realistically never going to be a CVE-free release to stop on, because the next CVE is just around the corner.
I'm not sure why I got downvoted here. Minio's behavior here is shitty - but in a day or a month after the last image is released, there /will/ be a CVE that affects that image. By GPs statement, when are they then able to stop releasing?
Am I getting this right - someone has been providing things for free for a long time and now people are complaining that they are relying on getting things for free and the "someone" cannot just change this?
What are folks doing who were just using it for CI/test/dev environments? Just build the image yourself? Use Garage as some have suggested? I'm curious what people see as the pros and cons.
Why? The maintainer in the link chooses to be a dick and refuses to explain literally any of the weird decisions they've been making. That would at least help people understand?
This reminds me about the bitnami containers. They pulled the docker images so everyone migrated away because they fear they will also pull the artifacts building the project. They never said that. They seem to be continuing to updating the projects and providing access to the artifacts. It is very easy to build the dockers... it is just a dockerfile really... There is really no upside to stop updating the projects, it is free marketing...
This is interesting. I've recently been doing quite a bit of research into what my "future stack" is going to be for backend. MinIO regularly came onto my radar but one heuristic (among many) I use to determine which software is TRULY open source and which is far less likely to remain open source is whether they even provide a link to their Github page and prominently display it on their website. MinIO was triggering my "not really open source" radar for this reason.
I'm still dabbling but have kind of latched onto the idea of using Ceph. To my understanding they were acquired by RedHat, and the project has all the signs of real open source, including the fact that it originated as a doctoral research project at the University of California, Santa Cruz, with initial funding from the U.S. Department of Energy.
Shame. Textbook OSS rug pull. These people love to rely on OSS, and claim how committed they are to contribute to the ecosystem and to their community, but as soon as people are drawn to the project, start relying on it and using it in the same spirit of OSS that they enjoy themselves (which their chosen license allows, mind you), then it becomes a financial burden, priorities shift to their commercial offering, there's no "bandwidth" to maintain and support the "community" edition, and so on.
STOP ABUSING OSS AS A MARKETING GIMMICK.
Or perhaps an advice to people who might actually listen: stop being attracted to open source projects because of the word "open", and because you can use it gratis. There are plenty of good proprietary and commercial software whose authors treat their users with more respect than these leeches of good will and abusers of trust.
I'm not against OSS being commercialized. In fact, I think that it's crucial for maintaining a healthy project in the long-term[1][2]. But this lingers on the developer having respect and equal regard for all their users, regardless of how much they're paying them. Yes, nobody working on software should be expected to work for free. But there is a philosophy behind this movement that goes beyond a financial transaction. It only works if everyone in the ecosystem is honest, and first and foremost has the intention of making the world a better place for everyone, by not only depending on others who have this mindset, but by adopting it themselves. Claiming to be part of the OSS community, but being hostile to your OSS users is dishonest at best, and worthy of all criticism.
>It only works if everyone in the ecosystem is honest
In general, applying this to anything with the general public, I don't expect it to work. This is why we have laws, licenses and rules in the first place. You can preach all you want but it won't change humanity, you need something concrete, something written and agreed, like a license.
Not all licenses protect the freedoms and rights you're used to in other licenses, and it needs to be taken into account when adopting any project. License terms that don't guarantee any sort of support or updates when you need them aren't in consideration at that point.
If you don't trust people, then OSS is not for you.
You can't claim to provide software as a public good, while also gatekeeping it only for specific groups of people. If you want to do that, then choose a restrictive license, with the exact terms of use you're comfortable with, and don't work in the open to begin with. That is a valid strategy if your main priority is getting paid.
My objection is towards people who use OSS licenses, but then take issue when others actually use the freedoms they've granted, and proceed to enshittify the project by removing features, putting them up behind a paywall, and in general being hostile and ignoring the user base they've gained in large part thanks to OSS. This is using OSS as a marketing tactic, which undermines the whole point of open source and the free software movement.
While I understand the frustration with MinIO’s approach here, I want to be upfront about what Cloudian HyperStore is and isn’t - it is designed for multi-node, multi-site deployments (think 3+ nodes minimum) and performs best on bare metal or dedicated infrastructure rather than containerized environments.
It’s a very mature S3 and offers IAM, SQS and STS endpoints as well.
If you’re running MinIO at scale in production and looking at migration options, I’m happy to connect you with our team who can discuss whether HyperStore makes sense for your use case.
That said, for single-node dev environments or lightweight deployments that many here are using MinIO for, the community alternatives mentioned in this thread are probably better fits. Different tools for different scales.
Happy to answer any technical questions about HyperStore’s architecture if helpful.
No, Cloudian did not develop MinIO - completely separate companies. MinIO was developed by MinIO Inc.
Cloudian makes HyperStore, which is our own S3-compatible object storage solution. We’re a competitor to MinIO, not affiliated with them in any way.
I was not familiar with MinIO until this post and I see now 694+ upvotes!
Can anyone give me some background on why MinIO is/was so used?
So many people want to self-host S3 compatible software?
Just asking, very curious about the whole thing!
Just make a fork and release built images via github actions with ghcr. Then ask people to switch to it.
The great thing about open src is the ability to walk away. removed features in new release? fork and put it back. quit complaining and be the change the world needs you to be
Quite a downward spiral for them. Wow. I mean I get the yearning for turning a profit, but this is yikes. This is the type of thing that guarantees most people using your open source / free variant never return.
I am guessing here but I do understand why they want people to open source the management code of minio and in some cases how it is integrated into a product. I understand that AGPL might not be written for these requirements but I think it is time for a new such license.
If it is part of a SaaS product that is sold I can definitely understand why this is important.
> "When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
It does matter, since the current AGPL license status is questionable at best, they did not have permission to relicense code added by contributors. This is why CLAs exist.
If you don't have a CLA you just end up with the new changes being AGPL which creates a mixed license amalgamation which in practical terms regresses down to the stricter of the licenses which would be the AGPL.
It's sad to see a company that built itself using (and yes I purposely choose the word using) the community abandon the community in pursuit of maximal profit.
THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM *"AS IS"* WITHOUT WARRANTY OF ANY KIND
They have no obligations to provide documentation, binaries or anything beyond the source code.
I personally think this is a better option than migrating from an open source license to a source available and I would like more project adopt this approach from the beginning of their projects, to set people's expectation right.
Which would be very relevant if anyone were trying to sue them for this - which no one is.
The license establishes the limits of legal requirements and responsibilities. It doesn't shield you from criticisms and people being annoyed with you.
Incidentally there is a open source S3 project in rust that I have been following. About a year ago, I applied Garage images to replace some minio instances used in CI pipelines - lighter weight and faster to come up.
Shameless plug: try Minimus! Minimalistic and always updated container images. We have the MinIO image and it is always up to date. https://www.minimus.io/
I think Minio is the only Go client for S3 API and S3-compatible APIs. I cannot say I liked using it, but I had no choice. Nowadays I run my own file storage with my own API, so I no longer care.
I've used the minio-go client library for about a year now. I don't see anything in the minio-go README or elsewhere to make me think it will no longer be supported. In fact, the most recently merged PR was yesterday. There are some other Go S3 clients, like https://github.com/kelindar/s3, but I don't know if any other Go S3 clients have the complete set of features that minio-go has.
They created their business on open source. Free software was their top of funnel. Free customers become paid customers, and fund the business. They are more than welcome to change this, but there is no way they don't end up with egg on their face, and that's what we're seeing here.
They've also tried to claim AGPLv3 will infect any networked client code too: "Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations. The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO." -- they've since removed that, utterly unsupported, argument, but the lesson to take home is they're really trying to prevent any non-paid use.
Have been looking for minio alternative for long already. Found versitygw lately and would like to share the joy. It feels very promising. Fits to many small or lab use cases.
It does not actually solve the trickiness of managing large storage but relies on the backend (that is usually fs like zfs in small setups).
However, seems to be quite new project plus the risk, that the owning company takes it to bad direction, is there too.
To everyone who gets blocked by this: I prompted Haiku 4.5, Anthropic's cheapest current model, in Claude Code with "Read this github issue: https://github.com/minio/minio/issues/21647 I need a new docker image for the latest minio version. Make it so.". It wrote a Dockerfile, I asked it to build it (not only am I incapable of finding and downloading the Dockerfile from the repository myself, I'm even incapable of remembering how to "build" a "docker"file). It spew out an error which the cheapest model promptly fixed and gave me an image.
You need to be able to do this personally or you should not be running a durable storage cluster in-house. Just pay AWS. You need to add more value to your employer than you cost, and if Anthropic's cheapest model can beat you at such a task then it's not a good look.
I'm trying to be charitable here, but you're being incredibly obtuse in your response. The issue here is very much not that someone has to build a Docker image. There's already a Dockerfile in the repo that works to build it, you didn't even need some LLM to do that for you. That's not the issue. The issue is that their existing Docker image has billions of downloads and they simply stopped publishing updates unilaterally with no material attempt to communicate this to their users when the current image is affected by a critical CVE that will now never be fixed.
If you don't understand the difference between these two issues, I would suggest it is /you/ that lacks the ability to add sufficient value to your employer (as if that's even a standard we should care about We are people, not merely cogs in some VC's wet dream).
The LLM stuff aside, how is minio supposed to communicate with the people who pulled their docker image?
The time line is rather short (the README announcing source only releases got updated a week and half ago) but it's not like Docker will let you email everyone and say "you're using one of our products, read this post about our new distribution model", probably for good reason. I can only imagine the "vulnerability" warnings flooding the world if every pulled container opened an avenue for emails.
I wouldn't buy their weird AI product off them after they behave like this, but this is software they've been maintaining and giving away for free, for years. Unless you have a contract with them where they promised maintenance, I don't see why this is on them, really.
The company can go bankrupt tomorrow and you won't even be able to pay them to update their images. Maintaining your dependencies is your responsibility, especially if you're not paying them a dime.
You're taking an all or nothing approach, when that isn't how this actually works. Software lifecycle management is part of product management 101, and generally how this is handled is you provide /advanced notice/ before an action is taken. Will this fully solve this issue and guarantee notification to every impact user? No. Will it help some of them and show a material attempt to be a good steward and act in good faith? Yes.
Some actions that they could have taken but didn't:
* Post a public notice on their website with a set date 90+ days out for when they'd shut off CI and stop producing new images
* Add a line to their Docker init script that puts out a deprecation notice with the same date 90+ days out to STDOUT that will get seen/logged on systems using the image
* Send direct communication to their paying customers via email or generated support tickets notifying them of the upcoming deprecation and that they need to switch their deployments to a new image source on a set date 90+ days out.
They could have done all three of these things, they could have done other things also. Most importantly, anything they do should have time for people to digest and respond to the action in a reasonable manner, you should not rug pull people by unilaterally changing something with no prior notice, only telling people about the change as it happens, and immediately causing a problem (no forward path for CVE fixes).
A developer not offering builds themself is a common thing in package managers, like apt or pacman. I don't get why it should be any different for Docker images.
Open source is sick. Everyone wants it (both to maintain a successful project, and to use them) until you maintain a popular project for a reasonable time then your realise you're getting used for fuck all value.
We need a healthy way to support open source developers. This isn't working. Companies are taking advantage, and individuals are overwhelmed with choice and have delusional expectations.
It would be cool if The Linux Foundation had a fund to support open-source devs with stuff, like a stipend or hosting costs, kind of like what exists in the hospitality space. I know that this sort-of exists, but it feels distributed amongst a few big companies and is entirely at the whims of their quarterly performance.
They changed their license to AGPL, removed features (Web UI, etc.) and now they don't provide docker images/binaries. It's their project but; what's next?
Obviously they will eventually no longer license AGPL at all. It's wild to me how this can be a surprise to anyone, this entire company has been one gigantic red flag for years and that's just what's publicly known. It's a legal department with a software product as a side business.
I used MinIO for local dev. I can use S3 or R2 in some cases instead. Kinda crazy to find out that people use these Docker images in production. Why on earth would you do that?
It's been talked to death in other threads already, but typically when you provide a service, even if it's free, it is polite to give warning that you will stop providing said service in the future.
If they are trying to push people to commercial services I typically attempt to steer away from companies that make rash decisions with a moments notice, rather than ones that would leave you high and dry.
> It's been talked to death in other threads already, but typically when you provide a service, even if it's free, it is polite to give warning that you will stop providing said service in the future.
They actually did that by saying that there are no new releases planned and new releases may be cut at anytime and everyone uses them at their own risk.
Any recommendations for a simple S3 implementation for a local docker-compose development setup for mocking S3? Ideally with a nice UI to check/manipulate files.
Since the whole docker thing where people were complaining about having to pay 10USD, I am happy when OSS projects pull the rug, tech bros you're paid to solve your company's issues, nobody in OSS owes you anything, go earn your salary and build the docker image that fix the CVE, or stfu
We all know you don't care about loyalty correctness or anything, you just someone to do the work you're paid for
Spot on. The number of people who are seemingly completely lost without a free DockerHub build is terrifying. Maybe it explains why software quality has degraded so much over the last several years.
are you saying there's a bunch of human centipedes bopping around here who are both the people who would do the minio rug pull as the ones who complain about not getting free services?
It is hardly a rug pull, when they are still giving away the full source + the actual Dockerfile, so you know, you can build the image. In either case, if you are not running your own registry and are unable to build an image, but still complain about this minor issue...you are probably in the wrong business.
Still don't get why on earth anybody would run a Docker version of MinIO in production. And why is this even a problem. Not like you put a private storage service on the Internet? Or do you? The incompetence of the average HN user is just mind blowing.
They abandoned documentation (edit: for the open source codebase) a couple of weeks ago - that seems more significant.
From their Slack on Oct 10:
"The documentation sites at docs.min.io/community have been pulled of this morning and will redirect to the equivalent AIStor documentation where possible". [emphasis mine]
The minio/docs repository hasn't been updated in 2 weeks now, and the implication is that isn't going to be.
Even when I set up a minio cluster this February, it was both impressively easy and hard in a few small aspects. The most crucial installation tips - around 100Gb networking, Linux kernel tunables and fault-finding - were hung off comments on their github, talking about files that were deleted from the repository years ago.
I've built a cluster for a client that's being expanded to ≈100PB this year. The price of support comes in at at slightly less than the equivalent amount of S3 storage (not including the actual hosting costs!). The value of it just isn't that high to my client - so I guess we're just coasting on what we can get now, and will have to see what real community might form around the source.
I'm not a free software die-hard so I'm grateful for the work minio have put into the world, and the business it's enabling. But it seems super-clear they're stopping those contributions, and I'd bet the final open source release will happen in the next year.
If anyone else is hosting with minio & can't afford the support either :) please drop me a line and maybe we can get something going.
>The price of support comes in at at slightly less than the equivalent amount of S3 storage
That's absurd. I would be running to NetApp and Dell for competitive object storage quotes then. Haven't done pricing on either one recently but at least a few years ago they were roughly half the price of S3 all in (including hosting costs).
> half the price of S3
No one other than hobbyists is paying full price on AWS.
Maybe someone else somewhere is getting some unbelievably sweet deal but what I've seen from cloud discounting is more in the "single digit percentage" range than "2/3rds off" or something.
There are a ton of different discount options - large customers typically get between 50-60% discount based on committed spending, and AWS is pretty flexible around how that commit lands (they will allow roll overs even if they say they won't). Reserved instances get you ~70% discounts - similar to the committed spending. And my favorite - if it works for you - spot instances on EC2 come at as high as 90% off.
Nobody at commercial volume pays list to AWS - everyone gets a discount.
How about S3? I haven’t personally seen them price that so aggressively but I have a limited sample set.
You can sometimes get a committed use discount within certain regions. Not as extreme as the EC2 discount, since S3 storage costs are honestly pretty low when you use storage classes correctly.
Everywhere I've worked discounts have been 40-60%. If you're getting leas than 40% whoever manages your cloud account isn't doing one of their job duties.
Even 1/3 of the AWS egress list price is a rip-off.
How to not pay full price on AWS? We pay $10K+ per month and nobody gives us any discount.
You talk to your account rep to do a guaranteed spend in exchange for a discount.
Some services get large discounts, some don’t. Depends on utilization. For 10k you should get a lot.
At previous $WORK we had similar bills. Our Account Manager got us some deals on S3 storage and egress fee (via CloudFront), in exchange for some usage commitment. It was AWS Europe though, it may be different in the US.
To be fair, for aws that is hobbyist numbers. We (400 people data company) pay 10 times that amount. Let alone big enterprises.
We do get discount, but it wont make it cheap.
There’s a lot of middleground between hobbyists and your company’s use ;) Most mid-sized publishers I’ve worked with are in the $4-10k/mo range depending on CDN availability
Of course, I agree.
My point is that the parent I was replying to replied to “only hobbyists pay full price on aws”. The parent was expecting to get a discount on a 10k monthly bill. It is a lot of money, but not to AWS. You probably wont get (much) discount on 10k a month.
upthread: "[No one] pays full price"
later: "no one who spends more than $10k/month pays full price"
curious, that no one says what their bills are when they say "40-60% discount", right? This thread started because someone mentioned dell/netapp because they were half the price of AWS, all-in.
I notice a lot of threads do this, lately. Not this topic, but topics in general.
What kind of hobby do you have where you’re spending $10k/month?
I see you've never heard of Warhammer 40k
I see you haven't heard of SLA printers
Holy shit, it's brutal. What do you sell and how many customers do you have?
Savings plans and reserved instances will get you at least 50% off EC2, RDS, and some other things
The good discounts start around 100x your spend.
If you are comfortable with making a commit 1-3 year commit - you can get 27-50% discounts at pretty much any spend I think.
https://aws.amazon.com/savingsplans/compute-pricing/
Right, but depending on your workload, compute might just be 1/3 to 1/2 of your spend. The remainder going on storage, networking (egress and internal between regions & AZs), LBs, and higher abstraction services (from queues to search to serverless).
Feels great to talk about 27-50% but turns out it's 9%-16% when all is said and done. You can get commitment savings on other services but you need higher spend.
Feels odd that big cloud gives better discounts to enterprise. They really don't cater to startups as much as they posture.
You pay $1 million per month for AWS?
I guess it's a good thing I'm not talking about list price. Do you really think when you're doing a cost comparison of AWS S3 to NetApp or Dell object storage a fortune 500 says: go ahead and use list pricing for the comparison? We plug in their existing discount structure... because otherwise it would be a rather pointless exercise for everyone involved.
Is anyone getting discounts on S3? There's easy ways to save on compute like reserved instances but I haven't found anything for storage other than the tiering system.
Agreed and for most smaller use cases theres always b2 from Backblaze.
That, in itself, should be plenty of reason to stay the hell away from it.
Cloudflare is the cheapest, from what I understand, due to free egress and competitive pricing: https://www.cloudflare.com/developer-platform/products/r2/
During an upgrade, I discovered that the console had been removed without any prior notice. MinIO really pissed me off. Over a month ago, I started looking for a MinIO alternative and found RustFS. I've been testing RustFS for over a month now, and the product continues to improve, with the community fixing bugs very quickly. I hope YC will invest in this company.
At the same time, I'm concerned that a YC investment means more of the same, eventually: open-source until it's no longer fiscally prudent.
free software until mainstream acceptance. naive MBAs call it leaving money on the table, Microsoft calls it a monopoly-preserving strategy. no VC has the balls to go for the jugular anymore.
Is open source and making money in conflict? If they do a good job, I am willing to pay.
Not necessarily, but if there's a cost to providing free support to the community like official container images, then it will get cut. People comment that it's "free" to provide these things through Github, but it actually has a cost to the maintainers in time, and it's frankly an easy business decision to stop doing that at times in favor of roadmap work that produces business value.
What I'm learning from this is to provide basically zero support from the outset and let it grow organically if I ever build a business on an open source product. As soon as you stop supporting anything for free someone feels entitled to it.
"but if there's a cost to providing free support to the community like official container images, then it will get cut.", but here's the kicker, supporting creating docker images when you're on github is close to negligible as to be paper thin.
Nothing like VC or IPO to ruin a perfectly good product...
it used to be that people started businesses so that they could help others by providing a product or a service to them.
late stage capitalism arrives when people create businesses solely to get rich, and when other companies are created solely to get rich by helping those people create their companies so that they can get rich. that's what ycombinator is.
most of capitalism used to be symbiotic. engaging in transactions with businesses benefited both the business and the consumer.
now we live in a world where most or all of the benefit goes to the business and none or almost none to the consumer.
I think very few businesses were created just to help people. Maybe some nonprofits.
Lots of good businesses were created to just make their owners a reasonable income, I mean, most people will take “be rich” if that’s an option but have reasonable expectations.
The problem with heavily invested in companies is occurs when they skip the stage of being a small profitable business with an actual business model.
I think even 50 years ago, that most people started businesses because they had a skill and could use it to help others meet their needs.
HP started (more than 50 years ago) with two friends who wanted to make better electronic test equipment. Profit was not forefront in their mind like it is to an MBA graduate today. Hewlett and Packard wanted to provide quality test equipment to people, because a lot of the test equipment of the day was subpar to them.
By the time the 80s rolled around, they paid 100% of an employee's college education (no matter how high they wanted to go with that) and paid them 75% of their salary while they were away at school. College was cheaper then, but zero employers today would even briefly consider paying people any amount at all to not be at work while also paying for the thing keeping them away from work.
corner stores in crowded neighborhoods are not started to maximize profit potential for shareholders. corner stores are started because someone saw the need for a corner store and wanted to make a living running it; they wanted that to be their job.
Until the invention of the MBA I don't think most people who started businesses did so purely for money. There are many easier ways to make money. Today people can start shitting mobile games with pay to win mechanics and they will be rich when the first one takes off. No one creates mobile games with pay to win mechanics because they want people to experience the joy of microtransactions.
Every business today (certainly every tech business) is designed to find out what people want via market research, pick the thing that looks the most profitable, then through a very well developed process, turn that business into a source of retirement money for the founder(s) and a source of return for the investors. It is literally a photocopy model of business creation. "Follow the process and you will succeed."
No one is opening shops today to help their neighbor. No one is opening new bakeries because their town needs one. No one is doing anything that one used to see people doing everywhere they went. Profit-driven motivation ruins everything it touches. Everything.
Everything is profit driven, now. Everything. The MBA is the most disasterous degree ever devised. It makes people think that starting a business purely to make money is a perfectly normal and healthy thing to do, and it simply isn't.
> Zero employers today would even briefly consider paying people any amount at all to not be at work while also paying for the thing keeping them away from work.
Apple definitely had programs to pay all or part of relevant educational programs, and they sometimes paid for people to attend conferences. I'm sure it was much more restrictive than the HP policy you're describing here, but it was definitely more than nothing.
That's a bit naive. Look at the early industrial revolution, when most goods were still made at home, locally or on a small scale by craftsmen.
People went from having the land and resources to craft, for example, their own shoes, then a few decades later they were in a position where they had to buy shitty factory made shoes that fell apart instead because they were kicked off their land to work in factories.
I've seen the land that my ancestors left to become factory workers. There simply wasn't enough of it to feed everyone. In fact, the last pre-factory ancestor worked as an itinerant tailor because there was no land for him to cultivate.
I'm pretty sure factory work was a step upward for these families.
If they were giving it away for free and paying a non-zero cost to do it, that's not sustainable. And that clearly isn't taking all the benefit for themselves. This is a take so bad, it isn't a take anymore...its a personality flaw.
Literally nobody is making that claim. Nobody expects businesses to be charities.
The thing being argued against is businesses solely being viewed as a "get rich quick" gambling scheme, where the only thing that matters is a rapid rise in shareholder value. VCs don't want a company providing a steady retirement fund, they want you to go for a 1000x return or die trying. The logical end result is that you screw over your customers and employees whenever possible, and burn the entire thing to the ground for the last few bucks. Just look at what Broadcom is doing to VMware: they might've delivered some great shareholder value, but they did huge damage to society in the process!
We shouldn't allow businesses to operate like a cancer which grows forever until it eventually kills its host, leeching off as much in the process as possible. If you want sustainability, you should be clamoring for businesses which are happy to just operate: employ some people, provide a valuable service to society, and make some profit - no need to take over the world in a crazy frenzy chasing unlimited growth.
Thank you.
Your understanding of what I said is the bad take, here.
There is a nice table here
https://github.com/rustfs/rustfs?tab=readme-ov-file#rustfs-v...
comparing RustFS to MinIO, including a claim about the MinIo support price.
Here an S3 compatibility table https://garagehq.deuxfleurs.fr/documentation/reference-manua... comparing
I'm currently testing for alternatives of minio on my homelab. Ceph was nice, lots of bells and whistles, built in support for virtual IPs is excellent, but on my aging hardware it was using 10-15% CPU in my VM while idle. Currently benchmarking garagefs, scales very well with core count and multi node set up is a breeze.
Garage uses the AGPL v3.0 license, which isn't open source-friendly. Is OpenIO no longer maintained?
The benchmark against MinIO is nice, but I don't care much for the table vs. "Other object storage" which seems to try to aggregate all the worst points of all the others with no citation (e.g. why should I believe RustFS has no intellectual property risk but others do? What's different about them to back that up?).
This comparison reads like it was written by an adolescent. The first row immediately reminded me of the classic meme[1]
[1] https://imgflip.com/memetemplate/460629937/our-blessed-homel...
Eh... however, I must add a strong note of caution. On their README, it states:
> RustFS is under rapid development. Do NOT use in production environments!
Also note that it seems to be a Chinese company (北京恒河沙科技有限公司), so security issues might arise.
That does sound much worse than hiding the pre-built images from users. I hope that documentation is archived. There's probably some benefit in documenting those installation tips elsewhere besides Github comments.
Yeah, running binaries of varying qualities taken from all sorts of places is a bad idea anyways. Distro packages are generally more consistent or even running "go build" yourself is probably better in this case.
But pulling existing documentation is a whole different matter. One can argue that they don't have an obligation to maintain the docs, though it would effectively make continued use of newer versions untenable. But pulling existing ones is an unnecessary rug pull when it doesn't cost anything to keep it online. It's a big middle finger to open source.
I'm sure it's been scraped to be regurgitated by a whole slew of LLMs.
old documentation doesn't help when the software changes
Well, gosh. Maybe I’m glad I didn’t get that documentation job with MinIO after all.
Unrelated but i find it funny that the Microsoft logo on the Install on Windows section is upside down on the redirected link docs.min.io/enterprise/aistor-object-store/
With 100PB clusters being built and not a cent going to them, you can see why minio has gone this route. I wonder if they will be "valkeyed"? Not by AWS presumably.
That's the open source model. It's entirely predictable that if you provide software at no cost that is capable of running 100PB clusters, that some people will and you won't get paid, because those are the terms that you set.
It's fine to change your mind, but doing it in this way doesn't build goodwill. It would be better if they made an announcement that they would stop creating/distributing images on some future date; I'm sure that would also be poorly received, but it would show organizational capacity for continuity.
If I'm considering paying them for support, especially at the prices quoted elsewhere in the thread, I need to know they won't drop support for my wacky system on a whim. (If my system wasn't wacky, I probably wouldn't need paid support)
There are a few challenges with open-source projects that want to also be commercial entities.
One is obviously knowing what you can add-on that people will pay for; support, for one, but people want more features too. What could minio have built on top of their product to sell to people? Presumably some kind of S3-style tiered storage system, replication, a good UI, whatever else, I'm not sure.
The second is getting people to actually know that that's an issue. I work for Tigera which publishes the Calico CNI for Kubernetes, and one of the biggest issues we have is that people set up Calico on their clusters, configure it, and then just never think about it again. A testament to the quality of the product, I'm sure, but it makes it difficult to get people to even know we have a commercial offering, let alone what it is and does and why it might be beneficial.
I could see the same thing for Minio; even if they have a great OSS product, a great commercial offering on top of that, and great support, getting people to even be aware of it in the first place is going to be a huge challenge and getting people to pay for it is even harder.
It's sad that they went the completely wrong direction and started taking things away from the community to force people to the commercial side of things whether they're willing to pay or not.
I reckon they gave away too much, and are clumsily rowing it back.
Gitlab seemed to do a good job of navigating a community edition as an on-ramp for sales. But it's obviously a lot of work to maintain that edition, and VC must be feeling less geenerous than 10-15 years ago.
e.g. maybe if it were my project I'd have kept back the S3-compatible ACL support and put in something super-basic. Or even cluster support. Right now it feels like they're cutting off everything they can while still being able to call it "open source".
That's a strange mindset, IMO. I'd be pissed if I had to pay $0.10 every time I turned a rachet, and it's weird to expect companies to have usage-based monetization on the tools they've made for others.
An analogy to making a physical tool doesn’t really work because we have to basically describe what software is in terms of exceptions to the analogy.
If I had a ratchet that, every time I turned it, I had to pay $.1, but I’d gotten it for free, but it was basically free to replicate, but the person who designed it did have to spend some significant work on R&D for the thing… I have no idea how I’d price that or how I’d feel.
oh you really butchered that metaphor.
The ratchet isn't what's getting paid in the metaphor, it's the person turning it.
There's always a time-sink cost to a public project.
Anyway, there's definitely a public good argument to turn certain software projects into utilities.
I don’t think that’s what they were going for. They said “ I'd be pissed if I had to pay $0.10 every time I turned a rachet” so the person turning the ratchet is the one paying. Who they pay to is unknown.
ok, but the ratchet isn't what's being paid. It's the labor. The ratchet is irrevelent. It's the time it takes. And it's the POV.
It isn’t clear if you are trying to improve the original poster’s analogy, come up with your own, or change something about mine.
But, regardless, my main point was that describing the software in terms of a ratchet is not very helpful because hardware and software are different types of things.
You effectively do pay per turn of the ratchet. It doesn't last forever, will eventually break, and so you can amortize the cost of the device over the number of turns you expect it to make to get the per-turn cost.
Software on the other hand does not naturally wear out, in the same way physical objects do.
Let me introduce you to Splunk and enterprise software in general
did you buy the ratchet?
that's why you'd be pissed.
If you were given the ratchet and then someone wanted to charge you every time you use it you would also be pissed.
> If you were given the ratchet and then someone wanted to charge you every time you use it you would also be pissed.
People gotta eat. If someone's making valuable tools and giving them away, they still need to get paid somehow. If people aren't voluntarily tipping them enough, then something's gotta give.
There have been too many stories of open source developers basically burning themselves out for years, then it comes out that they're barely scraping by and can't take it anymore.
The problem then is that you're making a valuable tool and giving it away and then wandering around hat in hand. That's not going to work for anyone. Also, taking away things that you've already given people for free so that they have to pay you to get them back is not going to engender any goodwill.
Unfortunately, the minio devs seem to have fallen into the common trap: make a great OSS project that works and that everyone likes, give it away for free, not know how to make money from it, and then start making user-hostile moves that piss off your users to try to make them customers - and who, surprisingly, do not want to be customers now that you've pissed them off.
It starts to feel more like a protection racket. You've got some great features here, would be a shame if something happened to them. Oh no, your docker containers! Oh, that's a tragedy what happened there, but you know, accidents happen.
> The problem then is that you're making a valuable tool and giving it away and then wandering around hat in hand. That's not going to work for anyone.
That is textbook open source idealism: you give to the community, the community gives back. The problem is a lot of people are moochers, even very rich people who have money coming out of their ears.
> It starts to feel more like a protection racket. You've got some great features here, would be a shame if something happened to them. Oh no, your docker containers! Oh, that's a tragedy what happened there, but you know, accidents happen.
Come on, don't be so uncharitable. It's nothing like a protection racket, which is pure, planned exploitation. This is open source idealism coming into contact with capitalist reality.
I know this is anathema around here, but this is why I have always liked grant-funded open source work. Whether government or private, someone at a policy level decides that something is important, and pays for development, leading to a new public good.
The development cost is based on the complexity of the work. It doesn't require a royalty payment in order to deploy more copies or to run them at higher loads. The software already exists. Separately, normal economic decisions can be made around support of deployments, e.g. whether to use in-house labor, hire consultants, or subscribe to some service contract. Sometimes, but not always, the users are another grant-funded project.
This model isn't a lottery ticket for the developers, nor the capital class. But the developers get paid a good wage for the time they spend on a product. I've done it for the majority of the last 30 years, almost like being a conscientious objector to the VC marketing complex.
Unfortunately, there are societal forces working hard against open source public goods. I think regulatory-capture is turning the whole security space into a compliance moat for heavily capitalized players. And the higher education cost spiral keeps increasing the overhead for universities, where a lot of these open source developer jobs used to be found. These are overlapping, but I'd say not the same thing. The overhead in academia is more than just compliance burden.
And, the whole fad-chasing and hustle aspect of contemporary IT is an inflationary process, eroding the value of previously developed open source products. Over my career, it seems that production-ready code is getting an ever-shorter service life. More maintenance and redevelopment work is needed or else users abandon it for the Next Big Thing. It's been quite a ride for me, following the whole wave of GNU, MIT, BSD, Linux, Python, and scientific computing tools since the early 90s...
if people are giving away wrenches and not getting paid for that, they will quickly run out of wrenches, and they will learn. giving away something free does not inherently give them the right to charge for use of the wrench.
giving a wrench to someone where you charge based on usage should be something that is agreed upon up front, not at some point later, after a rug is pulled out from under the customer.
> giving a wrench to someone where you charge based on usage should be something that is agreed upon up front, not at some point later, after a rug is pulled out from under the customer.
You're mixing up non-capitalist kindness and reciprocity relations with market relations. They're different things. Downloading open source code doesn't make you anyone's "customer."
The thing that happens first with these "open-source gone closed stories" is the community (or one particularly big mooch) failed to reciprocate the developer's efforts or was otherwise undercutting them. Then the developer responded.
And of course, the predictable response from some parts of the community is "how dare you not let me mooch off your efforts forever. I am entitled!1! Protection racket! Rug pull!"
Conflating physical products and open source software doesn't usually make sense. The open source model is more like someone making a valuable tool for their own use and then agreeing to let other people copy the design and make their own version of it. Monetisation can come from various sources - you may be paid to make the tool in the first place or you may perform a job where that tool helps you (or whoever is paying you).
> People gotta eat. If someone's making valuable tools and giving them away, they still need to get paid somehow. If people aren't voluntarily tipping them enough, then something's gotta give.
No one is saying people can't charge for their work though.
No I wouldn’t, I would say “yeah that makes sense doesn’t it”
In this example the ratchet manufacturer would be giving them away for free though, and then get pissed when no one volunteers to pay.
> I wonder if they will be "valkeyed"? Not by AWS presumably
Almost certainly not, due to the AGPL license. I know Nutanix got into hot water about distributing Minio so I don't think any big shop will fork it.
Nuantrix distributed a version that was still Apache licensed and merely failed to disclose they had made changes.
This is after MinIO asserted that Weka had also stolen their AGPL-licensed code, showing that they extracted binaries from the distribution. They forgot that that 3-month old (unmodified) version was still Apache licensed though.
MinIO generally don't seem to consult lawyers often. They haven't even set up copyright assignment / CLA immediately after switching the license, so technically they are also incapable of selling AGPL license exceptions just like everyone else.
I've done my best to keep MinIO away from most infra I manage, not because of legal concerns but because it was kind of obvious they'd eventually go full scorched earth and either drop images or the source code distribution all together. Maybe now we can all move on to a fork, or SeaweedFS, or Ceph, or literally anything else.
They don't consult lawyers. The CEO husband and wife team get really angry and fire off threatening letters, but I've never seen them consult a lawyer before sending a letter like that or accusing a company of violating a license publicly.
> showing that they extracted binaries from the distribution
Funnily enough, such action is outside of their paid product's EULA.
It’s the sort of behaviour that makes them relying on them even as a paying customer extremely risky.
That just means the fork would also need to be AGPL licensed, and the owner of the fork wouldn't be able to also sell a proprietary version with additional "enterprise" features. And IMO that would be a good thing.
I think it is unlikely a single entity would do that. But a coalition of current MinIO users might get together to create such a project, perhaps under the Auspices of a foundation such as the Linux Foundation. Although, I think that scenario would be more similar to OpenTofu than Valkey.
I am definitely not a lawyer, but as a thought experiment, would Amazon be able to take the AGPL Minio source code, turn it into a managed service, and resell that to customers?
Was under the impression that the answer is yes, they could - with the caveat that they'd have to release the modified source code of whatever backend services are also tied into the Minio source code. For example the AWS control plane that would launch customer instances of Minio, monitor it, etc would also need to be open sourced?
If they charged a cent, would people adopt it in the first place?
They still got paid for those free users. Via investments. Cash is cash. I don’t KNOW what the RIGHT business model is, I don’t run MinIO, and neither do you.
maybe they got paid in exposure
Wait until you find out how much compute is being run on Linux without a cent going to Linus.
Nah, it's fine. It's Open Source, you can document it yourself if you need to! But there is no obligation from the MinIO authors to provide it, you're not entitled to it.
It sounds like you’re being sarcastic but what you say is correct and true.
It can be correct and true while at the same time being bad-faith and user-hostile.
I’m a firm believer in open source and have decades of experience with it as an active community member.
There are two sides to this coin and tension in between.
On the one side license change rug pulls are annoying and deserve negative consequences.
On the other side, open source users are often far too entitled and demanding, contributing little and taking much.
At the end of the day the license terms are clear and users would do well to expect no more than the license says they’re entitled to expect.
Maybe then everyone can start being pleasantly surprised by each other’s behavior instead of both sides being disappointed by the other.
I'll let docker's security team know that an insecure, obsolete docker image is being served and the maintainers have officially acknowledged they will no longer support it.
Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
You're letting docker's security team know that they're serving Ubuntu 14.10? https://hub.docker.com/layers/library/ubuntu/14.10/images/sh...
there is a major difference between having an old image available and having it tagged as latest with no updates beeing available on a channel that before that published all updates with nearly no time delay
Someone seem to already be at it on Discussions https://github.com/minio/minio/discussions/21655
So that's not the same thing. Docker "official images" are a category of curated docker images. Minio is not one of them. The official curated images are here: https://hub.docker.com/u/library
The minio image is basically a community one that anyone could have created, but still shows in overall docker hub. It's created by minio themselves. I'm kind of surprised they haven't removed it, but with over a billion downloads they are easily in the top ten of whatever category they fall under creating substantial free advertisement.
Did you read the discussion? The docker steward is proposing making a docker "official" minio image to replace the minio/minio image.
Yes, I read it. Last time it was raised the same guy who announced they are doing source only distribution said they could definitely do it, then another member of the team closed it saying it wouldn't happen.
Given the developers have not replied to the thread after a day and the one who was enthusiastic is now the one doling out the information that they are no longer supporting their docker image, I highly doubt they will perform a 180 on policy and suddenly work with them to provide an official curated image. If they wanted to keep the docker image alive they would have continued updating it and not shut down community feedback begging for them to maintain it.
Docker has a vested interest in keeping popular images maintained and a billion+ download package suddenly becoming defunct is noticable to them. Minio seems to be prioritizing their commercial offering and removing support for their open source offering though. Nuking their community documentation doesn't spell anything good for the future of minio for the FOSS community.
Oh that will be an interesting discussion to watch.
> Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
Why is that the best? MinIO is not the type of thing that people ought to be directly making available on the Internet anyway, so CVEs are mostly irrelevant unless you are an organization that has to keep on top of them, in which case you certainly have a process in place to do so already.
People straight pulling an image off Dockerhub (so not a particularly sophisticated use-case) to run seem like they'd be the least likely to be impacted by a CVE like this. The impact is apparently "[it] allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope". Are people pulling from Dockerhub even setting up anything but the absolute most basic (Allow All) ACL?
Zero trust is the way to assess threat. Not Internet access or not.
No, it is a defense strategy. For e.g. hobbyists, it's basically irrelevant, and having something on a private LAN is fine. There is almost no chance of an issue. Not everything in the world needs to be maximally secured, and the people who are using those IAM policies are probably not pulling a vanilla image off Dockerhub to run something as fundamental as their storage layer. They probably also have firewalls tightly locking down which machines are able to talk to MinIO on top of token auth.
The cargo-culting around security is so bizarre to me. In a context where e.g. your organization needs to pass audits, it's cheaper/easier to just update stuff and not attempt to analyze everything so you can check the box. For everyone else, most security advisories are just noise that usually aren't relevant to the actual way software is used. Notably, no one in these discussions is even bringing up what the vulnerability is.
Notably, no one in these discussions is even bringing up what the vulnerability is
That's because of two things. The first is, assessment takes a deep dive into the issue, not a summary. Conjoined with the second, in that you must be ready to update if required, without issue.
In every case, it's less time cost even for home lab users to update instead of assess.
If it isn't, you're using terrible software, for example software which pushes security updates along with API and code changes. Such software doesn't take user security seriously, and should be avoided at all costs.
There's no way around it. Just do it right, don't half ass with excuses. Don't use terrible software. If it's plugged into a network, zero trust it is.
Unfortunately I don't think they're going to get involved there. There are already multiple "official" images on Docker Hub that are unmaintained and have plenty of CVEs (e.g. Centos https://hub.docker.com/_/centos/tags)
I think the most they'd do is add the DEPRECATED note to the Docker hub page as they have done for things like Centos
Imagine the absolute chaos if docker would do that, pull vulnerable images offline. Not a single company would be able to build their software anymore.
Actually, Docker did something like that, where they limited the amount of docker images they would host for you for free to a reasonable number. The result was pretty similar to this current outcry: https://news.ycombinator.com/item?id=24143588
[dead]
...Or just spend 10 minutes and familiarise yourself with the basic docker build command? Its really dead simple.
Then you have to maintain a pipline and registry just to fix something that should be fixed upstream?
Again folks, you don´t "fix" anything by building a docker image. The fix is already in the source, you just need to run one command to build the image. The registry is something you should have in your infrastructure, if you are at least half-way seriously doing anything in the domain of containers and Kubernetes. But if you dont have one, it seems you are running things locally, for your toy project.Well then, just in that case just deploy from your local docker cache. All of this is actually merely a couple of commands in your simplified use-case.
The fix is upstream, they're giving away the patch for free.
Setting up a registry and a pipeline is annoying but it's hardly a life changing event. It's certainly easier than migrating to a competitor.
Keep in mind this is the same project that removed all useful functionality from the included web UI in the community edition with the excuse that it was too much effort to maintain.
This is another case of VC-funded companies pulling up the ladder behind themselves.
Is it an excuse? Maintaining code costs money, and the previous versions are provided under the license, and you're free to modify it, pull selective patches and maintain them yourself. While It'd be convenient if the license was a promise to develop and maintain features for free in perpetuity, it just isn't.
I run into this in non-company backed open source projects all the time too. Some maintainer gets burned out or non-interested and all they're rewarded is people with pitchforks because they thought there were some sort of obligations to provide free updates and suppport
It is sort of an excuse. I don't use MinIO precisely because of this kind of behaviour - if I cannot easily develop, configure and test our applications, I'm not adopting it commercially, specially when there are a ton of options to choose from. In the end, this hurts the MinIO's enterprise offering. Having a robust, easy to deploy community edition, with predictable features, is a great way of allowing integrators to develop and test using your product, and to help the product to gain traction.
It's different as a) they did offer it for free and b) have to maintain it for the closed version.
However, this is also a classic move, so shouldn't be unexpected behavior these days...
Conversely, if instead of making your users happy to pay you, you've made them happy to use your stuff for free, you own the consequences when you stop giving that stuff away.
Welcome to HN BTW, I see you were inspired to sign up and defend the project owner.
[dead]
These are the same people who get mad at Red Hat because they think the 5K people who develop, maintain, and test all of the software do it for free
I understand the frustration; however using anything VC-funded, you are not paying for, is pretty risky.
It's still risky if you pay unless you have a contract guaranteeing what the renewal price would be.
It would be useful to have some kind of future feasibility risk analysis service for open third party dependencies.
Something that can be plugged into CI.
Perhaps something like this already exists?
What ladder are they pulling up? Feel free to fork the last valid commit and make a competitor.
The ladder is still there! See that pile of wood there? That's where we put the rungs. And if dig in that hole over there you might even find the extension we removed last week...
How was the task of building this project easier for them than it would now be for you or me? I feel like you are using the phrase “pulling up the ladder” in a way that doesn’t track with common usage.
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
"That expectation does not entitle anybody to anything though."
This is true legally, but not otherwise (socially, practically)
"That is their decision. Without any contract or promise, there is no obligation to anybody."
Again, true legally, but IMHO a really silly position to take overall.
Imagine I provide free electricity to everyone in my town. I encourage everyone to use it. I do it all for free. I'm very careful to ensure the legal framework means i have no obligation, and everyone knows i have no obligations to them legally. They all take me up on it. All the other providers wither and die as a result. 15 years later, i decide to shut it all down on a whim because i want to move on to other things. The lights go out for the town everywhere.
Saying "i have no legal obligations" is true, but expecting people to not be pissed off, complain, and expect me to not do this is at best, naive.
Calling them entitled is even funnier. It's sort of irrelevant if they are entitled or not, after i put them in this position.
Legal obligation is not the only form of obligation, and not even the interesting ones most of the time.
More importantly - society has never survived on legal obligation alone.
I do not think you would enjoy living in a world where legal obligation is the only thing that mattered.
This is a bad analogy. We are talking about building a very simple Docker image.
It is more like you went around your neighborhood and turned peoples lights on in the evening, then stopped.
Sure, it’s a lost convenience, but people can easily choose to just… push the button themselves. Or pay somebody to continue doing it for them. Or get a timer.
It’s really not a big deal, and there are plenty of alternatives.
I think you are missing the point of legal vs societal obligations and your analogy is equally bad. Minio's sold you this free light bulb and they also freely offered the service to upgrade it to the newest version every time a new lightbulb was released. There are many light bulb brands out there, some paid, some free, most of them also offer the service to upgrade the lightbulb automatically, even the free ones.
Then Minio decided to disable the feature to upgrade the lightbulb automatically, the code to update it is still there, they just don't want to do it anymore. Conveniently there is a Minio+ enterprise plan that has this feature. But hey! they tell you that you can easily set up your own server to update your lightbulb automatically. And most enterprise clients or people who have Minio lightbulbs in their office will do that.
But for single enthusiasts who don't have a server because they are just running a Minio lightbulb in their shed it's a bad situation, because if they knew this from the beginning they would have gone with another free lightbulb that updated automatically.
In short: Minio has the legal right to do whatever they want, people using minio have the right to be pissed. It's an all around bad publicity stunt and if I was a Minio investor I would really wonder why they are trying to piss off their loyal user base for a quick buck.
Sounds like an opportunity for someone to fulfill their own "societal obligations" and contribute back to the community they've benefited (taken) from.
All those people lurking while no one gets the idea to "ok, then I'll do the job for all of you" thing seems like the societal contract has been broken long ago.
I agree, but it is always harder to have someone fill a void for a previously solved problem. I think they eventually will, but it's almost like maintenance programming vs. greenfield development; it's a harder task that's not much fun, plus the interpretation that you need to do a buch of work for something you previously already had. Ill-will towards MinIO is completely understandable.
> I think you are missing the point of legal vs societal obligations and your analogy is equally bad
There are a lot of paragraphs in this thread laying the groundwork for this subtle strawman, but neither you nor DannyBee are addressing the real opposing position. That's the one that says there is no legal obligation and there is no social obligation. You're both treating the latter as if agreement about its existence is a forgone conclusion not in dispute. But of course it's in dispute. It's the basis of the dispute.
> But for single enthusiasts who don't have a server because they are just running a Minio lightbulb in their shed it's a bad situation, because if they knew this from the beginning they would have gone with another free lightbulb that updated automatically.
What keeps those enthusiasts from setting up a scheduled GitHub Action (or whatever system they prefer to use) to build the image for themselves?
How much (amortized) effort are we actually talking about here? One minute per release?
Well, if you use --no-cache flag, maybe even 3 mins... But it's too much for the entitled "it costs them like 0 to keep building images for us"-crowd
[dead]
The point is not about what Minio's legally required obligations are.
The point is, there is a community project, and Minio has revealed they are leaving the community. It's not illegal that they do so, any more than divorce is illegal, but it's concerning to anyone who views themselves as part of that community.
It raises a point that is it smart to join a new community that depends on the same people or organization.
Your persistent inability to comprehend this makes you look like a poor candidate for future professional collaboration. Maybe you are autistic, maybe just a shill, but it's not helping you.
Maybe I'm autistic, but in this thread is appears that one side is making a rational argument, and the other is an appeal to emotion.
A feeling of a community is not a contract. Complaining about losing that community changes nothing; and I believe that's the point GP is making.
OK - I live in a place that's snowy for a lot of the year. I shovel not only my sidewalk but my neighbours' several houses on both sides. People are really happy and grateful. Over the years Mr. Johnson the senior on a fixed pension next door loses mobility and is really appreciative I keep his walk clean. The couple next to him has a new baby and a clear sidewalk helps them load up all the accompanying gear into the car. My snowbird neighbours are happy that their walk is accessible when they're out of town. The dad who walks several kids to school is happy there's less snow to trudge through twice a day (in both directions). The mail carrier is less likely to slip and is grateful. Dog walkers and (crazy) winter joggers don't even consciously realize the improvement but still benefit.
Then I decide to stop. It doesn't really matter why, I wasn't getting paid or had not made any sort of formal agreement or promise, I just don't want to do it anymore. Now I shovel my sidewalk to the property line exactly and that's it. Hey, that's my legal obligation; I don't need to do any more! Mr. Johnson now has a lot more trouble getting out of his house; we see him a lot less. The baby is crying while new mom slips around trying to load up strollers and diaper bags and a car seat. The snowbirds just got fined by city bylaw for not clearing their walk. That dad's school trip is just a little longer, colder and unpleasant.
Hey, this isn't my fault! All those people took my effort for granted; I never promised to shovel their walks! They have no basis to judge me! But you better believe that this decision reduced their assessment that I'm a "good neighbour". Community is built mostly on implicit agreements, norms and conventions that are established through practice & conduct over time. You're arguing the right/wrong of this in the face of legal formalizations, while others are just saying it is a fact, not weighing the benefits and obligations.
We had some neighbors that used it throw a big Halloween celebration. They gave out drinks and snacks, dressed up in very elaborate costumes, setup movies on outdoor projectors, and do hayrides.
They didn’t do it last year. I was disappointed, but I’m not angry at them. I realize that they were spending a lot of time and energy and maybe they are just burned out.
I’m sure there are people who are angry and judge them. But those people are spoiled, entitled brats.
The distinction is that it is entirely fine to be disappointed. It’s not fine to get angry.
If people were depending on the party for very important things, and the neighbors encouraged it, and gave no warning, then it would be fine to get angry.
Actually, in your analogy the reason why you stopped matters a great deal. For example, if you stopped shoveling snow because you are sick/injured, or because you are caring for a family member, nobody would think less of you as a neighbor. It's only if you stopped for a selfish reason that people would negatively judge your neighborliness. So to the extent that the analogy is instructive as to how we should think about MinIO's actions, we would have to judge the reason why they did this and decide whether that is worth thinking less of them.
There is an important point you are missing. Attitudes like this discourage people from doing nice things for others in general. Because you are saying that one nice deed or nice deeds for a period of time mean you are bound to have to do that deed forever for free.
This is the tragedy of the commons but not just for a field of grass, instead its for all human altruism. You really need to think about the consequences of this attitude because it doesn't lead where you seem to think it leads. In fact, it leads to exactly the opposite set of human behaviors.
PS The neighbors could easily just contract someone else to do the shoveling in the future and instead of being salty about having to pay, looking at it as how much money they saved in the past.
I mean, fair, but again, notice you're trying to actually, idk, understand the situation, use empathy.
I see GGP's comment attitude all too frequently on the internet ("nobody is entitled to anything") as the default. Which is such a nasty connotative strawman, it's kind of absurd. But hey, that's the internet for you.
Bad analogy, MinIO isn't a basic commodity required for life.
Maybe a car analogy (because they hardly work). It's like lending your car to someone everyday then stopping, then the person complains that they have no way to get around. But there is walking, biking, busses or buying your own car.
I don't see how "basic commodity required for life" is a necessary criteria for any ethical standards to apply at all. This is about trust, community and how to be a good project steward.
Then will you be volunteering your time and resources? Remember: once you start volunteering, you cannot stop, because you will "break everyone's trust and expectations" or even be "malicious". Happy volunteering.
The claim isn’t that “you cannot stop”, but that it’s rude to not communicate about that ahead of time.
Of course the entitlement to volunteer work is also rude, and in my opinion worse.
This is exactly what happens when you volunteer. When you've had enough, or just want to spend your time in other ways, you're hounded to come back, to continue to help, and to varying degrees made to feel guilty because you decided to stop doing something that you had been offering for free.
I don't think this is a reason to never volunteer but you have to develop a thick skin, know where your lines are, and at some point politely but firmly say "no."
Electricity is not a basic commodity required for life. It is convenient for sure.
> Again, true legally, but IMHO a really silly position to take overall.
Is it? Let's take a look at the opposite scenario: What if MinIO never released any source code at all? They'd be just another 100% proprietary company like any other and would have never received any backlash for "pulling up the ladder behind them". So offering something for free and then rescinding later is treated worse than never offering anything for free at all!
What a way to entice companies to do open source guys, great job!
" So offering something for free and then rescinding later is treated worse than never offering anything for free at all!"
This is true plenty of times. In particular, if you violate social expectations/etc, you will often see this.
For example, here's an easy case:
I am about to go plant a bunch of trees.
A neighbor sees me going to do it, and offers to do it for me for free, because they like to do it.
I say cool. They can even say "just so you know, i'm not your contractor, blah blah blah" or whatever. Doesn't matter.
I go do something else with my time.
A week later, they did half the job, and quit, or they did the whole job and made a hash of it, or whatever.
1. It wouldn't make sense for me to expect them to fail or stop doing it or do it poorly just because it was free. Nor plan for them to fail.
2. Most people would still complain even though they paid nothing, and are arguably no worse off (depending on the options you pick) then when they started.
3. Most people would definitely feel like it was worse than doing nothing.
Now, in this example you could argue it's the poor quality/stopping halfway through that is causing this result, but you would IMHO see the same result even if they did a great job, but stopped after doing 90% of it, leaving me definitely no worse off, and probably much better off.
In the end, people's expectations are emotional and not simply rational.
Sticking with your analogy -- your townsfolk getting energy for free. As rational people they must include the possibility of free service being over at any time in their planning and act accordingly. Otherwise they're just freeloading.
Of course they are freeloading - and users often suck - but your latter doesn't follow.
It's fair in the singular case (IE if this is the only open source/free thing you use), but especially as you are dealing with more and more things like this (IE use lots of open source), it is totally irrational to expect them to plan for any of 50 open source projects they use to stop at any time.
It violates general good faith expectations. Just because someone is doing something for free doesn't mean you expect them to fail or stop - The cost is fairly orthogonal to most people's expectations. I don't expect any package in my linux distro to just stop existing or working at any time.
Sure, it would be sensible to plan for eventual failure of things you depend on, but it's not rational to expect people to plan for random failure of any of the things they depend on at any time, regardless of the cost of those things.
More to the point, it's not entitlement on their part to avoid sitting around waiting for the other shoe to drop all the time :)
The projects also often have the perspective of "it shouldn't be tha big a thing" but that's because they ignore they are not the only thing happening in their users world.
Did you read the comments on Github (linked by the title)?
So many commenters are just plain rude. They got free value for along time. Someone giving the free value decides to allocate their time otherwise. And the long-time receivers of the free value now cannot behave.
And you seem to make excuses for them...
It's just rude to behave like that after having enjoyed gifts for so long. They behave like spoiled children. Nothing to defend IMHO.
Github is awash with accounts with zero contributions to anything who use it to lobby for their personal requirements.
This shows a fundamental misunderstanding of OSS.
You're essentially saying that only users who contribute to OSS are worthy of attention and support. This is no different than saying that only commercial users, or those from specific countries, backgrounds, or industries are worthy of the same.
Those users who create issues, request features, and, yes, ask for support, are as valuable as those who contribute code or money. They're all part of the same community of users that help build a successful product. And they do it for free for you, because they're passionate about the product itself.
If you think otherwise then you should make your terms of service explicit by using a restrictive license and business model. OSS is not for you.
Yes, some people can be rude, demanding, and unworthy of your attention. But you make those boundaries clear, not treat all non-paying users as entitled children.
> If you think otherwise then you should make your terms of service explicit
FOSS licenses already do that: they shout at you in all-caps that the authors PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED.
Meanwhile the licenses don't say anything about communities.
For better or worse, OSI convinced everyone that "open source" is synonymous with using specific licenses that meet their definition. If that's the case, then how can it be a "fundamental misunderstanding of OSS" to strictly interpret OSS by the terms of the licenses, which don't mention any sort of "social contract", while they do include language explicitly contrary to such expectations of users?
> how can it be a "fundamental misunderstanding of OSS" to strictly interpret OSS by the terms of the licenses, which don't mention any sort of "social contract", while they do include language explicitly contrary to such expectations of users?
Because free and open-source software is more than a set of licenses approved by some governing body.
It is part of a social movement and ideology pursuing the open sharing of knowledge, and building communities around this where everyone can benefit, not just a select few. Software is one aspect of this, due to its roots in the hacker counterculture of the 1970s, but the core idea extends beyond it.
You can read more about this in many places. Bruce Perens specifically refers to a "social contract" in this early post[1] on the Debian mailing list. This is what is usually referred to as the "spirit" of open source, and is not strictly encoded in any official definition. The success of OSS depends on implicit mutual trust and respect, not on explicit rules and licenses.
[1]: https://lists.debian.org/debian-announce/1997/msg00017.html
Many open source projects have never opted-in to a social movement or ideological pursuit. Software meeting the OSI's definition can unarguably be called "open source" without any other implications of an ill-defined "spirit" which is completely subjective.
If I host a code repo on an otherwise static site, with no ability to contact the author or engage in a community, it is still widely considered "open source" if it uses an OSI-approved license.
Likewise if I host the same code repo on Github and disable issues and set the pull request template to say "All PRs will be closed and I will shout expletives at you for wasting my time", if it uses an OSI-approved license then it is still open source per the OSI's own definition.
> But you make those boundaries clear, not treat all non-paying users as entitled children.
True in theory but no one has infinite time to distinguish correctly between good feature requester or bad one.
Have you not seen some of the replies at the link?
For example:
"You are joking ?!
The commit about source only is 4 days old (9e49d5e)
We are currently paying for a license while using the open source version, you already removed the oidc code from UI console and now docker images. We are not happy by this lock-in. We will discuss this internally, but you may loose a paying customer with this behavior."
Why would a paying customer use the open source version? Deployment in non-prod?
I do this frequently. To prevent vendor lock in and allow us to easily pivot if pricing gets out line. We pay to support the project and get technical support when needed. Considering how little we use technical support. It should be a good deal for the company.
For one: Using open source version often is a lot simpler. Commercial versions are hidden behind authentication and other weird systems to download. User experience can be a lot better.
Then there are ideological reasons: Purposly trying to make the open source version sustainable.
And then reduced lockin etc. by not using Enterprise only features by accident/convenience, which leaves the door open to leave the contract.
In my experience, you start using the open source version, realize you could benefit from paid support, so you "buy a license" and get your support -- but then you never have a big enough reason to do the lift to the commercial version.
Because I want to give a project money but also want to make 5000% sure the entire thing is in github, working, the latest, compiling and that we can do all of that all of the time? What is strange about that?
I think if you analyzed your day to day life you'd be surprised with how many reliances you have on norms and social contracts. I personally don't want to live in a world that depends on an explicit legal basis for every single thing, and I doubt you want to either.
The GP didn't say it entitled them to anything, but that it created a sense of entitlement. You are correct there's no contractual obligation to do so, but it was likely a part of the decision to go with their solution, i.e. "they make it easy to deploy!". It is a very logical conclusion to say "they just made it HARDER THAN BEFORE to deploy".
Promises are not always explicit written permission; that's why I got in trouble for re-broadcasting major-league baseball with only implicit verbal permission (thanks, Simpsons!)
> > When you always published and built Docker images for the public you are creating an expectation
> That expectation does not entitle anybody to anything though.
Note that implied contracts do exist, and sometimes expectations based on prior conduct do suffice to form an enforcable contract. In this case, I don't know whether you can reasonably make that argument, but that's never stopped enterprising lawyers before.
https://en.wikipedia.org/wiki/Implied-in-fact_contract
“I’m not legally required to be nice” has become a classic and very common HN/Reddit argument. While true, it’s kind of beside the point. People often go beyond what they are legally obligated to do, and other people often expect others to go beyond what we are legally obligated to do. This is about nice vs. not-nice instead of legal vs. illegal.
Calling out shitty behavior doesn’t mean you felt “entitled” to anything.
Not all shitty behavior is governed by contracts and licenses. You can be an asshole without violating the terms of a license.
> Without any contract or promise, there is no obligation to anybody.
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with. There was no contract or promise. The fact you're paying for their service doesn't buy you these rights either. Those are just the terms of service both parties have agreed to.
Similarly, open source software is much more than a license. There is a basic social contract of not being an asshole to users of your product, which is an unwritten rule not just in software and industry in general, but in society as a whole. The free software movement is an extension of this mindset, and focuses on building software for the benefit of everyone, not just those who happen to pay for it, or those who meet your specific criteria. Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it. And your point is that that people who complain about this are entitled? Give me a break.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.[1]
[1]: https://news.ycombinator.com/item?id=45666757
Why isn't there similar expectations for users of Open source? That is be ready to take over yourself if maintainers do not want to do something anymore? Do not ask or demand anything. Do not expect anything but the code. To understand that you can not expect or be entitled to anything. And celebrate what you get just now.
With this the solution becomes obvious. You select piece of technology to build on you are fully and ready to take over it for purposes you want to use for it. The code is shared and you should not expect anything more.
> Why isn't there similar expectations for users of Open source? That is be ready to take over yourself if maintainers do not want to do something anymore?
Of course there is. Which is why many hostile projects get forked.
"That is the beauty of OSS", I hear you say. And I agree, but most people aren't developers. Even those who are, might not be familiar with the technology to continue maintaining the project. And even those who are, will still need time and effort to understand the codebase at a level that they're comfortable with maintaining it. And even those who are interested in all of that, might not do a good job at it.
So, ultimately, it is a very small subset of users who would not only have the capability to continue maintenance, but would manage to do as well as the original maintainers for the benefit of the entire community.
Most people saw an interesting piece of software, gave it a try and enjoyed it, and, if the project is successful, would probably like to continue using it. When the original developer ignores or is actively hostile towards these users, you're saying that they have no right to be upset about it? That's what I find ridiculous.
Yes, some people can be demanding and annoying, but that's true regardless if they're a paying customer, a contributor, or a "freeloader". The way you deal with this is by communicating and setting clear boundaries, not by alienating your user base.
I think you are digging in a little too hard here. If someone offers a capability that you don't have, and you build that into something you use, then saying that they should be ready for it to go away at any time and be happy to have had it, seems a little too much.
If there had never been an offer, they would not have built around it, and would have found another solution and, even if harder or more inconvenient, learned how to use that and built around that. Sure, no one is obligated to continue to provide them with the product, but saying that they are being unreasonable for expecting a little bit of warning time before having support pulled is a bit unrealistic.
I know we have done the metaphors to death already, but let's try another one: imagine if someone gave you a ride to work every day for years and one morning they didn't show up and you couldn't get in touch with them. You should have had a backup plan, and you shouldn't have depended on them, but it will take you a while to find a car and rearrange your schedule and learn how to drive or whatever you have to do, and all they had to do was notify you a month or two earlier that they wouldn't be able to do it anymore.
Metaphor I often see in FOSS. You are this hobby painter sitting every morning on Monmartre square in Paris, painting. It attracts people's eyes. They love your work and you become a sensation, going viral. Instagram influencers from around the world just need you in their picture, they say. You just shrug and paint. One day you got bored of Monmartre. Of pleasing the crowds. You want rest, a spot in nature to paint in peace. When the crowd learns, an angry oproar bursts out, and people demand you stick to your familiar spot, or else.
Mine was much better.
If the painter doesn't enjoy painting in public, then they should've picked a quiet spot in nature in the first place.
And yet, most people who do decide to share their work in public, directly or indirectly reap the rewards of it. They get exposure and recognition, which in turn opens many doors. I'm not saying that exposure alone puts food on the table, but it's certainly not entirely negative. Many people would envy to be in that position.
Your analogy is akin to any public figure enjoying their work, but not enjoying the attention. That certainly happens, but the attention, and all its negative aspects, comes with the territory. That attention might even be partly responsible for getting them to where they are. People in such line of work must learn to live with their choices. Not be surprised when their audience has certain demands and expectations, which may or may not be within reason.
> If the painter doesn't enjoy painting in public, then they should've picked a quiet spot in nature in the first place.
Sure but maybe the changed their mind or just got burned out.
And that's fine too. Someone else may or may not continue their work for the benefit of the community. They can be honest about it, and most people will be understanding and thankful for their work.
But that is not what happened in the case of MinIO, and many other projects. They deliberately removed features from the software, and made it more difficult to use. They prioritized working on their commercial product, and used the "community edition" as a marketing funnel for it. This is what I'm objecting to.
In any case, I've made my point clear, and don't like repeating myself. Cheers!
>Someone else may or may not continue their work for the benefit of the community.
Someone still can. They can't revoke the AGPL license of previous versions.
>They prioritized working on their commercial product
It's a company, not a non-profit. What else would you expect them to do?
I'm less understanding when a VC backed company does things like this, but many times its just a matter of "we were trying to make money by doing X. X is no longer working, so we're moving to Y".
I've also seen hostile mobs form when very small companies or individuals decide to start charging for things they used to give away for free, so it's not just that they are a VC backed company here.
Huh, even employment nowadays doesn't come with month or two notice from employers. And here some one giving things gratis need to issue notice lest you might be inconvenienced.
Do you actually want everyone to treat everyone else like employers treat their employees? I don't think that is as good of an argument as you think it is.
You're more annoying than the people you complain about.
> The fact you're paying for their service doesn't buy you these rights either.
It certainly does. In the UK and many other countries (possibly not the US), as soon as you are paying for a good or service you are entitled that it is satisfactory quality, fit for purpose and as described. I think it's uncontentious that a meal at a restaurant that includes poo is not satisfactory quality. Businesses have less rights than consumers but this would still count. However, the restaurant is certainly free to refuse serving you at all (unless they're it's because of a protected characteristic e.g. because of your race or gender).
I'm not sure how much that affects your analogy since it was probably a bit too far removed from the original situation to be useful anyway.
> It certainly does.
No, it doesn't. Yes, there are general safety regulations in any country, but there are no hard rules as to what "satisfactory" or "fit for purpose" means.
My analogy was contrived to make a point. Of course serving actual feces is not "satisfactory". But I imagine that you can extrapolate my analogy into an infinite number of possibilities where someone who once enjoyed certain services or products can find them not "satisfactory" anymore. That is a commonplace situation in any marketplace, and it is perfectly valid for the person on the receiving end to be upset about it.
The one hole you can poke at my analogy, which I anticipated, is that there is (typically) no financial transaction between users and developers of free software. But my response to this is that a financial transaction is not a requirement for the social contract to be established with users of any product or service, regardless of its distribution or business model. Those users can still expect a certain level of service, and understandably so. This expectation exists whether the person is a customer or not.
A closer analogy might be a community kitchen, or garden. But it really makes no difference to my argument.
The free software philosophy is agnostic to how software is monetized. It's true that it is more difficult to do so than with proprietary software, but it's certainly not impossible. Many companies have been built and thrive on producing free software. The crucial thing, regardless of the business model, is to treat all your users with the same amount of respect, dedication, and honesty. The moment you stop doing that, don't be surprised when the community pushes back. That's on you, not on "entitled" users.
> No, it doesn't. Yes, there are general safety regulations in any country, but there are no hard rules as to what "satisfactory" or "fit for purpose" means.
There are not specific rules for every type of product in consumer law because that wouldn't be workable. Instead, you have to make your case in court, if it gets that far, that it doesn't meet that criteria. The judgements have to be made by squishy fallible humans, but it does happen; small claims courts rule on that sort of thing all the time. Your example would surely be found unsatisfactory.
So, yes, in the UK and other countries with a functioning political system, buying a product literally does buy you the right for satisfactory quality, and the right to get your money back if it isn't. That applies to everything from sandwiches to cars to email providers. (Again, that's only if you're a consumer. Protections are much weaker if you're purchasing as a business.)
It's remarkable how you keep ignoring my point.
I set a deliberately contrived example to illustrate why someone might be understandably upset when a service or product they've been enjoying degrades in quality, regardless of whether they paid for it or not, and the parallels that situation has with OSS rug pulls. Yet you've managed to make this about consumer protection laws, for some reason.
Since the conversation has derailed, and since I really don't have the patience to rehash everything I've already said in this thread, I'm out.
It's not contrived, it's just bad, unfit for the conversation at all. A meal at a restaurant is paid for, MiniIO is not. There's no room for "regardless whether they paid for it or not", the distinction is fundamental to the discussion. You don't get to decide it doesn't matter.
You can't complain that the neighbour who used to give you a handful of apples each day suddenly stops giving them to you, regardless of how dependent on them you've become. He did not "create an expectation", you did. He did not make you "dependent" on himself, you did.
> If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.
But MinIO didn't do any of that. They're still a 100% open-source project, with the proper license.
Truly strange analogy. 1) No restaurant is serving free food for years. 2) Serving poop will be really be very serious, legal issue even it was served for non-tippers.
Seems like the new definition of open source is not license, not code but What I need others must do for me
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with.
That has got to be the most fallacious analogy I've seen in a long time, and that's ignoring the fact that serving poop would get you in serious trouble in most jurisdictions. "False equivalence" barely covers it.
There is a basic social contract of not being an asshole to users of your product
Nope, nope...you win. Even more fallacious. Being an asshole to your users is a meme in OSS it's so common. Someone should tell that Linus guy about this 'social contract' he agreed to and signed that he's in violation of. /s
Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it.
You think there's a philosophy. Some other people here do. There is no consistent OSS philosophy. There wasn't back when Stallman was thinking "what should I call this thing that is Not Unix" and there isn't today. If that was remotely true we'd still be happily using GPLv2. Because at the end of the day there is what is written in the license, and then there is wishful thinking. Sometimes wishful thinking results in nice things, and sometimes...well...here we are.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start.
Ignoring the laugh-out-loud silliness of "you should pick all these things about your startup day #1 and NEVER CHANGE THEM", exactly what terms of their OSS license did they violate? Be explicit. Don't wave your hand and say "but social contract that doesn't exist!", "but philosophy I made up and want to apply to people who didn't agree to it!". Because a license only means what's written down in it, not what we want it to mean. I get that you think there should be a "No assholes, we'll never, ever pivot to meet market changes and we pinky swear we won't rug pull on you" license that people should be forced to use, but I don't think to many people will sign up for it. See: GPLv2.
You're correct and the project isn't entitled to any good will or usage from the community either. So they get what they get, just like the community. Or you know, everyone can just give a shit about each other even if it's a bit more effort.
[dead]
You seem more entitled to your opinion than others.
> That is their decision. Without any contract or promise, there is no obligation to anybody.
Not everything is legally enforced. Open source is a social phenomenon. Why are you so surprised that these social rules are being enforced socially?
There are obligations... it's how society functions.
> I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
I really don't get this entitlement. You expect that nobody should follow any social contracts and I'm sure are always surprised when people call you out for being asocial.
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
</rant>
> I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free.
Does it make you less frustrated to remember that humans are pattern recognition machines and our existence is essentially recognising and adapting to patterns, and so when someone does something repeatedly - regardless of if they're doing it for free - humans will recognise a pattern and adapt to it.
This is an inevitable consequence of coexisting with humans: if someone does something repeatedly, it creates an expectation. This is how learning works. If someone stops doing something, people are going to mention the consequences of their expectation not being met. Framing that as entitlement doesn't seem productive, especially in situations like this where it looks like the change wasn't properly communicated.
I don't think there can be a world where humans are able to learn/adapt/be efficient whilst not having expectations.
I believe there could be a world where people don't get pejoratively labelled as entitled for expressing the inconvenience caused by having functionality removed.
> Does it make you less frustrated
No. There is no valid justification, and the suggestion otherwise suggests a lack of understanding of what exactly these rude individuals are demanding.
The very least people can do when receiving such quite extensive voluntary favors and dedication from others is to be polite and show proper gratitude and appreciation. Otherwise, they are not worth the personal and uncompensated sacrifice of time (a quite non-renewable reosurce) and personal health required for the support. They are not even worth the stress or brain cycles required for communication.
(Not saying there aren't plenty of people showing appreciation - otherwise we would have given up on FOSS entirely a long time ago - just talking about those that don't)
> No. There is no valid justification, and the suggestion otherwise suggests a lack of understanding of what exactly these rude individuals are demanding.
Like I said, the fact that people are human, and that minios did a thing repeatedly, is why the expectation is there. Saying it's not justified is like saying the sky isn't justified being blue, getting upset and frustrated about it is even more silly.
There's no need for people to be rude, I agree, but I don't really see any people being disproportionately rude in their comments, especially in the context of a provider who pulled part of their provisions without fair warning.
They are also, by complaining, incentivizing other people to not even offer free services in the future. Why set yourself up for accusations that you're 'breaking your social contract' or whatnot?
Discouraging unreliable free things is good in a lot of cases.
Funny that pattern recognition does not extend to the universal pattern of "things end". A stoic would be appalled--if they'd care.
Why not talk about other parts of coexisting with humans? Parasitical relationships, having to learn and adapt, communicating your needs instead of making assumptions, etc.?
> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.
If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.
Is it malicious? I don't know. I prefer to believe in Hanlon's razor. Is it irresponsible? 100% yes.
It’s irresponsible to use open source software, be it a docker image or the application itself, if you’re not willing to maintain it or replace it yourself at short notice if what the maintainer is willing to do/publish no longer meets your needs.
Don’t like it? Stop being a parasite and pay someone for a support contract.
As far as I can tell, people who are paying for support contracts were also impacted by this. It was explicitly called out in that thread
It is also not irresponsible, or a rug pull. The project is still available, free, and widely packaged as it always has been, just one redundant source removed.
I don't get why one they would provide prebuilt binaries in the first place, and removing them is just cleanup.
> Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company
so its a communications issue? if minio or whoever explains this, OK. that's not what happened, so it's not what happened.
If it were for a feature request, it would feel more justified. People feeling entitled to making feature requests is one thing. Like they can get fucked. Contribute code or pay me. But if I let something loose out into the world that suddenly started causing problems because someone discovered you could stab people with it, I'd be going around making sure all of the copies I gave out it had a knife guard put in place.
We're not going around making kitchen knives illegal. I would go out of my way to mitigate footguns where an entirely legitimate use or legitimate source of confusion would turn foul, but if you chose to go out of your way to misuse it as a hammer or ignore documentation, then you're on your own.
In this case, we're not even talking about that though, it's just a redundant prebuilt binary getting janked. I don't think it makes sense to provide prebuild binaries in the first place.
I don’t know much about the MinIO project specifically, but to me it seems to be a common misconception that just because a maintainer provides their software project under a permissive license (such as AGPL, MIT, etc.) would necessarily imply that they do this for particular ethical reasons, like caring about “the community” (whoever that is) or contributing something for the greater good.
In the end, it’s just software made available under specific terms. While I understand the inconvenience for users if things change, it feels like part of the disappointment might stem from one-sided expectations.
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
To me, there are two aspects:
- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)
- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
> if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it
Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.
> of course, if you run out of business or something bad happens to you, that's something else
Huh? So now everyone should let you know "it was out of their hands"? You have no idea how entitled you behave.
> There is some kind of implicit commitment.
No. That's just between your ears. It's putting fancy words on a feeling you have, not something that actually exists.
> what's the point of even providing pre-built Docker images if you expect people not to rely on them?
How do you know they had that expectation? And why do you care?
> This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
You are excusing yourself for these commenters that behave like spoiled children: not thankful for what they got for free, but only bitching when it stops.
Hey, tone down, please. Also, have you, for some reason, totally missed the first point in my comment?
> Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.
Fully addressed in the "if you can help it" part of my comment.
> You have no idea how entitled you behave.
I have 100% idea how entitled I behave. I don't at all. I don't use MinIO. As an employee, I push internally for relying on our own infra (but we are quite good at this already).
I don't expect open source projects to provide binaries. Well, I kinda do if they've been doing it though. Expectations vs entitlement? Not the same thing.
We're discussing human interactions and expectations here.
---
So, in your opinion, what's the point of providing pre-built binaries if you don't want others to be able to rely on them then?
As someone who develops free software in my hobbies and also as an employee, if I provide binaries for free, I 100% expect people to be able to rely on them, or I just don't do it, and I would 100% feel like I'd be causing them issues by stopping doing it on short notice. I would feel like I'd owe them explanations (and their can be valid ones I'm sure - burn out would be a hell of a valid explanation to stop working on the projects at all) if I did that. They'd not be entitled to receive the binaries from me, but they would expect it and breaking expectations is not very nice. I have difficulties seeing this another way to be honest.
Let's also recall that we are talking about a project who's business might have benefited from the adoption in the first place.
> why do you care?
I could care about nothing, but that's not what I'm on HN for. I'm curious and interested.
You can read more about my views on this stuff here if it can help understand me: https://news.ycombinator.com/item?id=45667271
If you were relying on their pre-built binaries, you presumably still have them. It's not like they went and deleted them off of your computer. They're just not giving you new pre-built binaries (but they're still giving you new code for free! And others pre-build binaries for free anyway). Do the old ones stop working at some point?
Note that a CVE is not an indication that something doesn't work. In the real world, they're mostly relevant only for businesses that need something like PCI compliance. Especially for something like a storage server that shouldn't be directly exposed to the Internet. If you are a business that has some compliance obligation, you have no one to blame but yourself if you rely on others' charity to meet that obligation.
Existing binaries don't stop working, but adapting your infra to get the update can take some time.
Without other elements, it's definitely not nice to stop releasing the binaries out of the blue, especially for a security fix. To me it's purely a question of breaking expectations you've built yourself (I don't mean entitlement, I mean expectations).
Now, it's indeed not the end of the world, and:
> you have no one to blame but yourself if you rely on others' charity to meet that obligation
100% agree with you on this (that's my first point in my original comment).
> To me it's purely a question of breaking expectations you've built yourself (I don't mean entitlement, I mean expectations).
Let me stop you right there. MiniIO never promised to provide docker images for free forever, have they? So where does this "expectation" come from?
If thou are pained by any external thing, it is not the thing that disturbs thee, but thine own judgment about it. And it is in thy power to wipe out this judgment now. (Marcus Aurelius, quoted in Beck, 1976, p. 263)
...It's you who has built the expectation, not MiniIO, for it exists only in your mind.
> it exists only in your mind
Yeah that's in the definition of the word "expectation".
But despite that, expectations based on actions are real, and you can't logic your way out of them mattering.
I hope you do realize that most of your knowledge on how (y)our world works is, for a big part, based on implicit expectations that you or others infer from past observations.
> ...It's you who has built the expectation, not MiniIO, for it exists only in your mind.
The MinIO team understands very well that they have made everybody "build this expectation [each] in [our] mind[s]". They wouldn't have felt the need to write any announcement that they would stop distributing the binaries otherwise.
> for free forever
This is an exaggeration that grossly misrepresents what I'm saying, and without which your point becomes very weak.
You have two choices here:
(a) acknowledging how your fellow human beings build expectations and, harmed with this critical insight, leave in peace, or
(b) sticking your head in the sand.
I highly recommend the former, especially if you don't want to look like a Vogon.
I'll go further: if someone has been releasing a binary for each version of their software, without specific announcement, it would be unreasonable not to expect a binary for the next version. There's absolutely no reason to think things will be different and the binary won't be there.
Compare to bitnami: https://github.com/bitnami/charts/issues/35164
Recently switched from bitnami to minio here, with plenty heads up & they scheduled brown outs etc, along with legacy images to fallback on for users who don't get informed by anything until image gone
This is also becoming a trend with open source projects turning into source available projects with obscure and hidden ways to deploy them to prevent average users from running the software in their homelabs etc.
> you are creating an expectation
thats entitlement but seen from the other side.
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
This only inconveniences open source freeloaders. Maybe you can volunteer some time to build Docker images?
Rant about the concept of open source freeloaders: there's no such thing as open source freeloaders. If the license explicitly gives you the right to use the stuff for free, there's nothing wrong in using this right. While it would be the right thing to give money / otherwise support the projects you rely on, it's on the software developers who decide to give these rights (I also think it's the right thing to do though) to figure out the business model.
There's also nothing wrong in being upset about something you relied on disappearing overnight. If someone decides to provide something for free, they should give time for people to stop relying on this free stuff if they can.
However, I also believe you should own it if you decide to ever rely on prebuilt Docker images. More specifically, if you are relying on prebuilt Docker images, you are letting someone else decide on a part of your infra. And yes, this someone else can decide to stop providing this part of your infra overnight. This is on you.
I also don't find anything wrong in deciding to not provide binaries for your open source project, or to stop providing binaries, including docker images.
freeloader (OED): a person who takes advantage of others' generosity without giving anything in return.
Sounds exactly like freeloading to me. You may think of that term negatively, but it is exactly what it is.
We also find the Wiktionary definition [1]:
> One who does not contribute or pay appropriately; one who gets a free ride, etc. without paying a fair share.
Which I believe is a bit more generic (giving back might not be the only way of being fair).
> You may think of that term negatively
But the term carries a negative judgement, what's the point of this term otherwise? Without the judgemental part, you'd just say "using for free" or something.
The whole question is: is it fair to use open source software for free?
And I believe it is. Actually, this is stronger than this: I believe people should feel free to use free software for free, and should not be looked down for doing so. This is key for freedom 0 to be an actual thing. (I'm not set in stone in this position and would be happy change my mind on this though).
The notion of "giving back" can be discussed. I believe it is fair to get stuff from Person A for free and then helping B for free (later or earlier), in the hope that some person P will eventually help / have helped Person A for free for instance - this has the potential to provide everyone with a strong, helpful society and it would be even more enjoyable and reliable than a society that enforces pair to pair transactions.
Indeed, if someone always takes stuff for free and never contributes to anything, I would find this unfair (unless for some reason they can't contribute back, because of a disability or something). I would call this freeloading. Society cannot work like this. But you need the bigger picture to assess this.
When you start to try thinking about all this, the concepts of giving back, fairness, etc, it gets quite complicated. You also need to take in account the way society and the economical system works as a whole. What are the incentives, the motives, etc?
Basically, qualifying someone as a "open source freeloader" without context just because they use freedom 0 without paying is quite bold and might not be fair.
What if a company uses MinIO for free but provides some nice open source software?
Just don't judge someone too fast.
[1] https://en.wiktionary.org/wiki/freeloader
What a weird take. Open source projects exist to be used. If you didn't want people to use it, it wouldn't be open source. As such the users are doing exactly what the creator wants: using their product. This helps the creator in many different ways.
Of course many creators are selfish. Once they have benefitted from everyone using their project they think: we want more. Then the rugpulls start. They think they no longer need their users, so now they can abuse them for additional profit.
Fork and build your own. Isn't that the whole open source ethos? Why it was invented and how it is intended to operate.
Indeed, it feels like most people today treat open source as a placeholder for "work I don't have to do myself" and then get confused/upset when the project and their own interests no longer align and requires effort to bridge that gap in alignment.
https://github.com/coollabsio/minio
Coolify is already doing it but your comment is on the verge of being passive agressive. I wouldn't say these are open source freeloaders because they could be using things like watchtowers etc. which automatically update and it could be a very huge deal for automated updates especially after I saw that some recent CVE of minio happened.
Simply put this just hurts the security of people running minio, I wouldn't say its freeloading, its actively harming the community. There are people in that thread who are paid customers as well saying that they lost a customer. I wouldn't say its freeloading. Minio already has some custom license or paid offering and I think that they make decent enough money out of it, providing docker files and then stopping to is kinda a shitty behaviour if they are unable to explain the reasons exactly why. I couldn't find the exact reasons on why they are doing what they are doing except making it hard for people to self host.
It also inconveniences people who aren't freeloaders - or are you forgetting about the community?
People submitting PRs aren't freeloaders: they are building the product for you. People filing bug reports aren't freeloaders: they are helping you solve the bugs in your code. People writing blog posts about setting up MinIO aren't freeloaders: they are writing documentation for you. People holding talks about it at conferences aren't freeloaders: they are essentially doing free marketing for you. Even someone leaving a "thumbs up" on a Github issue isn't a freeloader anymore!
MinIO is also screwing over those active contributors, who are volunteering their time to improve the value of MinIO's product. That's not just "no longer helping freeloaders", that is "actively hurting the community".
Besides, I'm sure the community has plenty of people who would be more than happy to volunteer time to build Docker images. Do you really think MinIO is going to let them publish it under the official "minio/minio" name so the community can still benefit from it without MinIO having to "support freeloaders", or do you think there could be an ulterior motive behind nuking the image - such as pushing people to the paid version?
MinIO is not actually open source, their source code is just public.
The company I work at spun up a MinIO instance, and we got hounded by MinIO lawyers claiming we had to pay because "hosting MinIO alters the source because of injecting configuration" and therefore violates their open source license.
There have been multiple hacker news threads about this:
- https://news.ycombinator.com/item?id=35328316
- https://news.ycombinator.com/item?id=32148007
> It's an Open Source project - I don't understand what people are complaining about
MinIO is a commercial company that provides some open source components and some paid components and services.
This meme where nobody is allowed to be unhappy with anything when the phrase “open source” is involved is getting old. In the span of two paragraphs your comment discovered why this is frustrating people: They have been providing certain things in the open source leg of their operation and then yanking them and stuffing them under a very expensive commercial leg later, after people have begun using them.
Being upset about that is reasonable and understandable, even if it triggers some of the people who believe “open source” means nobody is allowed to be unhappy with anything, ever.
Company makes Open Source. Open Source community enbraces it, helps it to become the defacto standard.
Company does a rug pull because they are unable to make a proper business out of it and leaves the community hanging dry.
Removing the container image build step, which was ALREADY THERE, and doing this internaly only, is the gatekeeping they are now doing.
Its like 0 effort to provide these images.
And yes pricing pages like this is always the same: You don't get any deal below 1k / month minimum because they have some pre-sales people and a payment pipeline which doesn't work for anything small or startup like.
Somehow i don't get MinIO anyway. They got over 100 Million of investment for an S3 system. Its basically a done product. Its also a typical 'invest once build it once, keep it running' thing which can easily be replicated with a little bit of investment from other companies.
I have no clue how they ever got valued over 100 Million.
> Its like 0 effort to provide these images.
I love it when entitled folks both expect to use someone else's work AND immediately downplay someone else's effort (no, I am not affiliated with Min.IO, just saying if you are scared of building a docker image yourself, maybe you should not downplay someone else's effort).
I'm not scared at all and could care less about building the image myself.
I'm also not 'entitled' because i'm doing this for another open source project we are now maintaining.
Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.
There is a difference between having the official Min.IO image with a stamp of approval vs. forked repos with their version of the same image. The only thing fixing this kind of issue is a fingerprint and build caches.
They are removing the official container images because 1. this is the magic source of running your software in helm charts etc. so now you need to act 2. in some companies you are not allowed to use random container images
And you are complelty ignoring my arguments. Its not entitlement if a companies product becomes the industry standard due to Open Source and then doing a rug pull like this.
> makes it less secure for EVERYONE if the community now needs to either find a new github repo/company
Correct, and that's the most worrying aspect.
> Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.
Wrong - it would be less secure if they did not share the source code and the Dockerfile along that too. As long as you take care to regularly update, where is the problem?
So just to be clear, they publish the docker image, they have an Github action which is basically free for them to build and release it into a free registry but they don't do it.
So i setup everything to do this on my github with their code and publish it on my package.
And you don't think this is stupid?
The problem is the critisim how they act and even if they release everything and its just building the image, you can't trust another source to upload the image someone else has build with this file. So now everyone has to build the same image.
The scenario you described is mainly just benefiting you. Whether Min.IO loses or wins something based on this decision, will remain to be seen. In either case they don't owe it either to me or to you to provide a built image, especially as they continue to provide the source, including the Dockerfile. In either case if in your setup you are not able to rebuild an image off of a Dockerfile, your setup is worth rethinking. Not to mention that on the security side, it's quite irresponsible to depend on an image from a public repo, without at least pulling it through an internal artifact management system with vulnerability scanning.
[dead]
It's legit. Just gives people the impression that it is sabotaging the community. I understand why they do it (the more inconvenience the more likely people are gonna pay), but wish companies are more thoughtful on open sourcing code and how to differentiate enterprise offerings at the beginning, rather than playing tricks after gaining tractions.
They are entitled to stop building docker images. Their users are entitled to get salty and go find alternative products.
If that is Minio’s expectation, then all is good, but it seems kinda counterproductive? I never liked minio, but I certainly wouldn’t use it after seeing them remove features.
They removed the admin UI from the web frontend in the f/oss version some months ago, too. I updated for security reasons and they'd stripped the functionality out. It's a jerk move.
MinIO is open source cosplay.
I wrote this back in July: https://sneak.berlin/20250720/minio-are-assholes/
>I certainly wouldn’t use it after seeing them remove features.
All sorts of projects remove features all the time though, even the linux kernel drops support for hardware that may or may not be in use somewhere
>Their users are entitled to get salty and go find alternative products.
People are entitled to feeling things of course, others will only point out that it may not be justified and that the user is liable to get hurt again if they never adjust their expectations to meet reality
I think (and I suspect many users would agree) that there is a big difference between "we are removing some unmaintained drivers for a piece of hardware which almost no one is using" and "we are removing a tentpole feature from the 'open-source' version of our application and making it exclusive to the paid edition".
Certainly, there are some pretty entitled people on that github issue.
But this attitude is too far the other way. Fair enough, you are under no obligation to continue providing a free service. But isn't it fair to give a bit of notice before withdrawing it? Especially after doing it so consistently for so long. Not legally required, sure, but polite.
They haven't even given notice after withdrawing it! They just waited for someone to realise and ask about it.
Bear in mind that many paid for services, on a subscription basis, technically allow the seller to change (i.e. reduce!) the service at any time. If they act in bad faith to their free tier, what should you expect about their paid tiers? You could argue you also shouldn't be using paid services that could behave that way but I think you'd struggle not to.
I agree with what you said, but I think “courteous” might be a better word than “fair”. Whatever word you use, I take it as a sign that unpaid use isn’t as welcome as I thought.
> They haven't even given notice after withdrawing it!
Beggars can't be choosers. It's not fair to not give notice before no longer providing something for free? Come on now.
> I don't understand what people are complaining about. Noone is entitled to receive free Docker images.
Every time I read something like this, I recall this post from Rich Hickey[1][2] on why no one is entitled to benefit from another human being's goodwill and time.
From the post:
> The only people entitled to say how open source 'ought' to work are people who run projects, and the scope of their entitlement extends only to their own projects.
> Just because someone open sources something does not imply they owe the world a change in their status, focus and effort, e.g. from inventor to community manager.
[1] - https://gist.github.com/richhickey/1563cddea1002958f96e7ba95....
[2] - https://news.ycombinator.com/item?id=18538123
But not everything can be "fair game" when providing a service for free. Surely it wouldn't have been OK if they suddenly included a bitcoin miner or extracted credentials. They offered a free service, people trusted it, depended on it. Now, in my view, they have some responsibilty to their users.
Giving a notice in advance and releasing a final image that patched the CVE would've been reasonably responsible.
Years ago I worked in customer service. There was this guy who came in to to motivate us. He talked about the work of someone named Bob Farrell who had a chain of ice cream shops and sold burgers. He had received a letter from a disappointed customer. The customer had been given the extra pickles on his burgers for years and now one of Bob's employees told him he now had to pay extra for it. The customer said he'd never come back. Bob could have said "what an entitled idiot" and kept charging for pickles but he took that letter as a calling for how you should treat customers - just give 'em the pickle. It costs you next to nothing to give the customer the pickle and it makes them happy.
Minio doesn't have to give non-paying users anything, but the story still applies. Give them the pickle. It costs nothing in the grand scheme of things, and if it does, ask for donations like any open source project would do to cover your costs. But as others have pointed out, Minio is not an open source company, they are a commercial company that has source available.
> Minio doesn't have to give non-paying users anything, but the story still applies.
How on earth does it apply when your complete example story relies on the satisfaction of the paying customers. If you're not paying, you're not a customer - you're a user.
> If you're not paying, you're not a customer - you're a user.
This doesn't work with open-source projects: someone can still provide a lot of value to you without explicitly paying for it. If a community member volunteers a lot of their time to contribute code or provide support to other users, then you probably shouldn't piss them off either.
Users have value even when they’re not paying.
They/we certainly do (we are using MinIO as well). But they are NOT paying customer, nor do they pay something back (at least most of us dont), so they should not really feel entitled to the "value" that they were getting for free.
Well removing any distribution after a CVE is a nice touch ...
> I don't understand what people are complaining about
Talk is cheap. People will complain about something they’re not legally entitled to because there’s no downside, only an upside if the company backtracks.
In the background they are probably creating tickets to mitigate the risk if the complaining doesn’t work. It’s perfectly rational.
I don’t understand the people who don’t understand this.
You're correct, however:
1. The MinIO image on Docker Hub has more than a billion downloads [^0]. With those download counts, people have almost certainly written scripts that rely on this image existing (including their own Dockerfile! [^1]). Them leaving these images around is just asking for security breaches later down the line.
1b. While, yes, no-one's entitled to freely-available container images, it cost them almost nothing to maintain their existing toolchain for this. Them deciding to pull the plug is purely and entirely a money grab (and a dumb one, if you ask me; look at how the community responded with OpenTofu when Terraform when BUSL).
2. Fortunately, MinIO is a Golang app and can be built with a simple "go install" (though the build instructions in their docs don't align with the build recipe in their Makefile [^2]). However, they could pull a Tesla and make the source that they publish differ from the source that their binaries are built from.
3. They gave NO notice. That's the slimiest part of all of this. Tens of thousands of Kubernetes clusters, and handfuls of enterprise products, run or package MinIO that are now using images that will no longer be updated. All of these people will need to completely change their toolchains to account for that, and soon. That's just not a kind thing to do.
[^0] https://hub.docker.com/r/minio/minio/tags
[^1] https://github.com/minio/minio/blob/master/Dockerfile
[^2] https://github.com/minio/minio/blob/master/Makefile#L179
"It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. "
While this is true, in all of these discussions, somewhere the notion of responsibility often gets lost.
If you publish a project, encourage people to use it, promote it heavily, etc, then get lots of users, and then decide to kill it, while it's true you legally owe nobody anything, it's sort of crazy to claim people are acting entitled when they complain.
After all, you encouraged people to use it and promoted it!
Again, do you legally owe them anything? Nope.
I am much more empathetic towards those who get surprised by the growth of their projects, or otherwise didn't try to make their project popular and decide to quit when it becomes too large too quickly and becomes a burden.
In general, if you try to encourage lots of people to use or do something and succeed at that, you end up with various forms of social responsibility to those people. That's true in most things, not just open source.
Open source does not get a pass at this social reality simply because, as a legal reality, those users are not owed anything.
Back in July I clarified precisely what people are complaining about. It should clear up the matter.
https://sneak.berlin/20250720/minio-are-assholes/
You don't understand, or don't agree with the complaints. Those are two different things, and I suspect you understand why people are complaining and instead disagree with the complaints.
People are complaining because something was available, they adopted it, then it was discontinued. Apparently with little warning, and after they'd been encouraged to adopt it by the provider of the images.
As it happens, I agree with the general idea that if folks are not paying for the convenience of builds, then it's on them to work from source. However, it's better IMO if a vendor or project start from that position rather than what's seen as a rug-pull.
Of course, it's part of the playbook: when something is new and not widely adopted, the vendor goes to great effort to encourage adoption -- then the vendor starts looking at the paid vs. free usage and sees "huh, we have a 10000:1 ratio of paid to free users, including ten megacorps that show up grabbing binaries every 10 minutes for their CI/CD farm, and asking questions in our forums, but aren't paying a penny toward development and our investors are getting pissy."
Exactly. looked up their github to see what the big issue was about and they still provide the full source + the Dockerfile. It's not a huge issue that it is being made into. Does no-one know how to build a Docker image any more?
Usually it's the short notice that gets peoples' hackles up. It's kind of a dirty trick. Everyone knows things can change.
But a properly built image is a nice part of a product release.
Building a quality production ready image is not trivial, and it's always welcomed from the vendor.
Uh this is a superficial take. It almost certainly took more effort to hide the images from the public than to publish them.
The community that made them is being shit on.
Or one can just use old images. Which is what many people started doing after their other fuckup - removing perfectly working web UI from free version.
They just can't stop shooting themselves in the foot that didn't even heal from last time.
The last tag with a working web UI is RELEASE.2025-04-22T22-12-26Z btw.
Terrible advice when a CVE is being discussed.
Not a full replacement but there is Garage, which was quite well received in other HN threads.
https://git.deuxfleurs.fr/Deuxfleurs/garage
Afaik Ceph has its own object-storage functionality as well, which seems to be S3-compatible: https://docs.ceph.com/en/latest/radosgw/#object-gateway
Yeah. They also created a open source test suite for S3 clones.
https://github.com/ceph/s3-testsOh heh, a trip down the memory lane. I wrote the initial version of that, in an era where AWS docs did not match observed S3 behavior. The only way to make an S3-compatible API was to create a suite of over-the-network tests to run against both AWS S3 and radosgw.
We also had a little grammar-based fuzzer for S3 requests (really, any HTTP), but over the last 10+ years I've lost track of what happened to that code. That found some incompatibilities with allowed character sets etc too.
I believe you're forced to have your data backed by a Ceph OSD. Whereas Minio can point to an NFS share on a NAS.
Minio used to be able to do this, but they dropped this feature - "gateway mode" - several years ago.
Minio doesn't need to have first-class support for NFS. You can quite easily point an NFS share mounted as a directory in the Minio container.
> I believe you're forced to have your data backed by a Ceph OSD.
It makes perfect sense as this is a feature of Ceph.
> Whereas Minio can point to an NFS share on a NAS.
Eh, different trade-offs.
Can vouch for it as an adequate self-hostable option. It has some missing features, compared to Minio, and is less compatible but works for most applications.
could you elaborate on this? we're looking at moving off cloudflare r2 in the somewhat near future and garage is on our short-list
Garage worked for most of my use-cases but it lacks, among other endpoints[0], bucket ACLs and bucket replication. Anonymous access is also an open issue[1].
They are also a comparatively young project and while fully OSS do not, afaik, appear to have a solid long term funding source yet. Though that might be an opportunity to support them, if your company is interested in picking them.
[0]: https://garagehq.deuxfleurs.fr/documentation/reference-manua...
[1]: https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/263
We are also looking into Garage, does it support 206 partial content seeking on the files in the bucket via it's http interface?
Garage should support partial content seeking via its HTTP interface, if it is S3 API compatible which includes support for range requests/206 Partial Content response.
I find garage to require quite a lot of fiddling.
Care to elaborate?
There were setup commands I needed to run before the docker image did anything. I’m used to just specifying an access/secret key and having it work.
Garage uses the AGPL v3.0 license, which is not an open source-friendly license.
Doesn't support if-match.
The title of the HN submission might look a bit misleading. It's easy to misinterpret it and think MinIO stops being open source (which would be a bigger deal IMHO).
I think this would be better: "MinIO stops distributing free Docker images"
---
See also the relevant README section: https://github.com/minio/minio?tab=readme-ov-file#source-onl...
OK, we updated the title to your suggested one now.
What was the previous title?
It was: MinIO (apparently) becomes source-only
Thanks tomhow!
For those left wondering what the original title was, it said minio went source-only.
I don't see the problem in either case. For a Gentoo user, it changes nothing.
That was my interpretation of the title when I first clicked it. Still interesting but easy to misunderstand nevertheless.
We [0] use MinIO with for our clients so we've just thrown together a nightly build process. Use/fork as you wish:
https://github.com/golithus/minio-builds
Example use:
[0]: https://lithus.euIf anyone is wondering, the Dockerfile for this repo (thanks for sharing!) basically just copies the binary in, it is a 19 line dockerfile.
I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself.
https://github.com/golithus/minio-builds/blob/main/Dockerfil...
>I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself
I don't. It's automated, it needs approximately zero attention. This is just a company that got where it was benefitting from open source taking the free toys away thinking there'll be profit in it.
I've spent a lot of time trying to get pytorch working inside docker against cuda. That's a big challenge even just on one architecture. It isn't as simple as you make it to be and they have to determine how they allocate resources so they can pay people. I'm still grateful for this project and would rather they dice focus on functionally than packaging.
No problem!
And it is very true. Although the binary does also need building, which is also handled in the above actions workflow.
Curious how you handle legal reviews by your customers' shipping AGPL licensed software? We've had a lot of pushback from legal even on licenses like MPL
What makes me sad is that, as mentioned in other threads, this destruction in reputation could've totally been avoidable. If MinIO had took the time to give out warnings months in advance and help community members (or even other companies) to host the Docker builds somewhere else, there would've be close to none backlash. Yet they've decided to make it such an abrupt transition and especially when a CVE is involved.
I think both sides of this argument are correct:
1. MinIO is a business and they don't owe anything to anyone for free. 2. People using the OSS version also are free to express their dissatisfaction.
This is not contract law though. This is about using OSS as a marketing gimmick to get mindshare, penetrate the market and then do a bait and switch.
From one hand, it is within their right to do whatever they want as marketing. From the other hand, we as the community should be more aware of OSS as marketing vs OSS as we would like to see it.
There is a damage to the community however: this erodes trust in OSS companies, so just like "content marketing" or "influencers" or any other type of marketing, after a while it loses its effectiveness, to the detriment of real "content", real "influence" and real "OSS".
People should understand from the outset that open source contributions from for-profit companies must benefit that company.
For VC-backed companies -- or anything else where it's spend now, profit later -- the bait-and-switch is practically inevitable.
(Or, of course, the company can simply stop contributing, either from going out-of-business, or pivoting, or being acquired, etc.)
If you're considering building long term on oss from a for-profit company you should count on having to pay in the future. You should believe you have a decent understanding of their business model so you have an idea of how much you might need to pay. Of course that's usually very difficult for VC-backed "spend now, pay later" companies, so you might be best off avoiding them for anything long-term or foundational unless you think you can bear to switch, possibly on short notice.
I generally agree with your point. Over the years of being responsible for technology stack choices, I've come to apply one rule of thumb on OSS projects: is the project a core competency of the company behind it or not. For example, Github might open source their language detection library or Shopify might open source some frontend development project. These are not core competencies of Github or Shopify. Their business is somewhere else.
However, if I start a business and open source my core competency, with or without VC money, I will have to turn a profit or die, which leads to such outcomes, from MinIO to Hashicorp.
I agree with all the points you make. Just adding a detail to the following bit:
> 1. MinIO is a business and they don't owe anything to anyone for free.
I don't think MinIO discontinuing the free docker image is really the problem here. Creating and distributing such images cost them practically nothing - either in infrastructure costs or in HR costs. If they find it that difficult, they only need to say it. Either the community or another company will gladly take it up for free. Even other cloud projects have alternative distributions like Bitnami builds.
The real issue is the pattern of behavior that this move exposes. They seem to have removed the web UI from the community edition claiming that it's hard to maintain (another thing the community would have gladly taken up if they were informed). They also stopped updating the community documentation. And these largely escaped attention until the docker build was discontinued. That itself is controversial since much effort wasn't spent in letting the users know that their current image was going to suffer bitrot indefinitely. Apparently there was also a CVE which was fixed in the source. They didn't consider it necessary to at least push the fixed container as a final measure.
All these are certainly hostile and unkind towards the community and it's bordering on dishonesty. They didn't lie. But neither did they do the bare minimum expected when taking such a drastic measure. It's clear that they're withdrawing their generosity for more profits after gaining a lot of mindshare with their earlier offering. I don't believe that the docker image alone would have inflamed the community so much.
We're working on a binary build process now. We hope to have something up at https://github.com/golithus soon.
We use MinIO (community edition) a fair amount. And while we like it, it is also becoming increasingly clear that our days of deploying are numbered.
We want to start experimenting with Garage for smaller deployments, and would be interesting to hear of any production experiences there. (Anyone done multi-PiB deployments?)
Other than that we're going to start looking at Ceph/Rook for larger deployments.
Done: https://github.com/golithus/minio-builds
garage devs have told me of 10PiB+ deployments in production, but I've never operated one at that scale so I can't share much insight into the experience. Probably best to ask on their matrix chat.
I don't think this is really a big deal. Plenty of others already maintain public OCI images of Minio (Bitnami is one example). So long as that's the case, there are options. I'm not familiar with Minio's licensing terms, so maybe they can put an end to that practice if they want to, but I suspect there are drop-in replacements other than the official Minio Docker Hub image.
What Minio is doing wrong here is thinking too highly of themselves. Their product is a fine implementation of S3-compatible object storage. It has some features that make it attractive for selfhosting. It's far from the only solution, though. The harder they make it to use, the more people are going to switch to easier alternatives.
A lot of companies try to lock down their popular open source/free products once they have a large market share. It always backfires.
Hashicorp did this. There's no reason to use Terraform anymore; OpenTofu is a drop-in replacement that is just as good for almost everyone, and all the community support will shift to it such that it will inevitably be far superior to Terraform.
Redis became Valkey. MySQL became MariaDB. OwnCloud became Nextcloud.
There are countless examples. Yeah, the commercial entities continue to exist. For companies that need support and contracts, there will still be a market. But they are destroying their pipeline for new customers. Why would anyone use a closed commercial project with no community contribution when there's a free, open source option that's either a 100% compatible drop-in replacement or a low-effort pivot to a functionally-equivalent solution without vendor lock-in and burdensome restrictions?
Minio is shooting themselves in the foot. Most people don't give a crap what's backing their object storage, so long as it works.
> Plenty of others already maintain public OCI images of Minio (Bitnami is one example).
Looks like that's coming to an end too.
https://community.broadcom.com/tanzu/blogs/beltran-rueda-bor...
https://news.ycombinator.com/item?id=45048419
Yeah, I saw that recently. linuxserver.io bundles a lot of apps into OCI images, and I use many of theirs because they tend to be better-designed than official ones—or at least more consistent.
And while some people might be intimidated by it, it's not a huge lift to make your own images. I don't mean to trivialize it, because it's at best inconvenient, and can be challenging. In many cases it's only a few minutes of work to bundle something up. LLMs are great at this. For a Golang app like Minio, it's a piece of cake, since you don't have to install a zillion dependencies manually.
Really easy, I made a script to build bitnami images from a command line menu and push it to your dockerhub. It also detects changes in versions and you can rebuild and push again.
https://github.com/tzahifadida/oys-bitnami-builder
Looking at the change to the README last week[1], it looks like MinIO went from "MinIO has no planned or scheduled releases for this repository" and " While a new release may be cut at any time, there is no timeline for when a subsequent release may occur." to "The MinIO community edition is now distributed as source code only".
Based on promises alone, I think that means they un-dropped the open source project but still only distribute the binaries to their customers.
[1]: https://github.com/minio/minio/commit/9e49d5e7a648f00e26f224...
It's absolutely stunning that people actually defend this behaviour!
The community is having an outrage - and rightfully so - about a silently discontinued artifact delivery at a very critical time. Which is their opinion and every human being is entitled to have their own opinion and state it openly.
It is also perfectly fine to expect a standardised behaviour to continue.
However, what is most important is that is perfectly fine to shame an open source product for pulling features and money grabbing people after years of gathering community and locking them in.
I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
You are a farmer, not a big fancy profitable one. Your tractor is from 1970 and works great, when it works. Your wife has health problems and can't really help out around the farm much - kids have gone off - so you just do things mostly by yourself. With your lucky dog Skip by your side. Even though times are tough and money ain't coming in like it used to - you still give free produce to the local schools and shelters. You've been doing it for over 20 years, and the community loves you for it.
But then your wife passes. Medical bills are too high. You can't give away free produce to the local schools anymore.
The community is outraged. They come to your farm with pitchforks. They set your barn and fields on fire.
This is kinda what this thread feels like lol.
> I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
Not very much at all. It looks like they're hosting on Docker Hub which doesn't charge for bandwidth. I could create a pro account for $11/month and be able to serve an image billions of times. The compute to build an image is small enough that it can be done at whim on a dev machine.
But when you plug in the numbers: that the farmer raised $126 million, and hosting unlimited Docker Hub pulls costs $11/month, it doesn't quite feel the same.
It's absolutely not what is happening.
It's more like the farmer was giving leftovers for free to schools and it was so good that it made him famous. People from all over the country came in, including businessmen who told the farmer he is missing out and should be charging more for his food. He started a restaurant chain but, the businessmen went further and said that a quality product cannot be given away for free and made him stop supporting schools and shelters which got him rich and famous in the first place. Even tho, he was just handing over leftovers (it cost around USD 100 to host a docker image - yearly)
Think EA, Microsoft and Xbox, Broadcom and bitnami.
I don't understand the point. The entire raison d'être of this project is that you self-host it and don't pay money for S3 and control your supply chain.
If you are denied this possibility — it is much easier just to use S3.
Denied as in „use their supplied Dockerfile and type 'docker build'"?
Ceph is an open source project run by a foundation. Minio is a company backed by VCs looking for a return. There is also seaweedfs, powerscale, openstack swift and hyperstore. The S3 compatible space is crowded.
Curious about one thing - does Ceph's s3 compatible api support oidc based auth? We used to use this with minio before switching to aws s3 and using presigned URLs.
https://docs.min.io/enterprise/aistor-object-store/administr...
As a user of Ceph it does feel like a truly open source project. Redhat/IBM do sponsor a lot of work on the project but there are lots of other contributors. I have contributed maybe a dozen changes myself and it was quite easy to do and the maintainers are fairly responsive.
Also there is garage, which I found easy to setup: https://garagehq.deuxfleurs.fr/
Ceph is absolutely lovely and rock solid. Can't recommend it enough.
I haven't used minio in years, and when I did I only fiddled around with it, but my recollection of it is that it's about the simplest build chain imaginable. Install modern golang, build minio, get single binary.
Anyone relying on an opensource tool like minio, needs to look at:
Once you've looked at that you can decide "is this an anchor I want to handcuff myself to and hope the anchor won't jump into the icy blue deep taking me and my dreams with it?"If the org behind it ever decides to rugpull/elastic you, what're you gonna do? At least with something like minio, if they're still distributing the source it's trivial to build (and if you can't build it you should evaluate if you're in a position to rely on it).
Let's look at other cool open source things like SigNoz which distribute only docker artifacts (as far as I remember, anyhow) -- if they were to rugpull that people relying on it would be totally lost at sea.
This isn't to say that this isn't poor behavior on minio's part, but I feel like they've been signaling us for a while that they're looking to repay their VC patrons.
They have also removed the web UI and stopped updating the documentation for the community edition. The former is not extremely serious as the community can easily replace it. The latter is arguably the worst among all the changes that we know of. While they do redirect community documentation towards its enterprise counterpart, it's becoming clear that the differences in the community edition won't be addressed at all. That will make MinIO community edition less viable over time.
Overall, it's pretty clear that they don't view the OSS users kindly or want them around. I'm pretty sure that they would drop the entire community edition if they could do so legally and without much fuzz. You can expect more like this in the future. So this story shouldn't be seen simply as the loss of a docker image.
Right -- I think it's quite clear that if you're relying on the free minio you need to look elsewhere or peer up with some others and fork it.
And any adoption of a critical piece of software needs to have a risk calculus associated with it of "what if they get bought by CA, invaded by Russia and murdered, murder their wife and go to jail, or dedicate their remaining time on earth to writing haiku?"
Both open source software and commercially supported software have risks and mitigations. I'd argue that you're actually safer with open source software since you can pick up and keep running it, but that's not a trivial undertaking.
> I'd argue that you're actually safer with open source software since you can pick up and keep running it, but that's not a trivial undertaking.
I agree with that. It's just that I find it very annoying that these companies turn against the OSS (user) community after they've gained enough market share by taking advantage of the community's trust and network. This discussion thread itself is full of people calling the users 'entitled'. That's some level of gaslighting! The real question is, how much would these projects have succeeded if they had started under the same terms as the ones they've now switched to? If the answer is 'not very much', then that means the community added significant value to the product, which these companies are now refusing to share and running away with. These companies are the entitled ones, besides being deceptive and dishonest.
The case with MinIO is not as egregious as the others we have seen - elastic, for example. MinIO is still under an open source license. But their decisions to let the community edition documentation rot and to remove the web ui make it very clear that they're trying to make the community edition as unviable as possible without having to take the heat for going all out proprietary or source available. Does this tactic seem familiar? This exactly what Google does with AOSP. Slowly remove and replace its OSS parts with proprietary software and gradually kill the project. Again, it's deceptive, dishonest and distasteful.
Both free software and open source software have a tradition of not excluding anybody from participating in the process, community and contributions. But looking at how much certain companies damage the trust and fracture the community for some extra profit, it might be a good idea to start asking if they should even be given the opportunity to do so.
> If the org behind it ever decides to rugpull/elastic you
I love it that you use "elastic" as a verb here.
I am also so confused as to what MinIO is now. All I see on the website is AIStor - have they dropped the "S3 Alternative" Marketing and went full AI?
If you want VC funding, your marketing pages need to go all-in on AI. Even if your product has nothing to do with it.
Unfortunately yes. I have been looking at one of the well-known VPN infrastructure providers and they use "AI" on their website a bazillion times. Insane.
Yikes
Hey Mike Donovan here. I work at Docker and help with the Docker Official Image (DOI) program. If you're interested in a DOI being created to support the MinIO community chime in here: https://github.com/minio/minio/discussions/21655
Time to switch to Garage for dev environments and reconsider minio for prod. This is not how to do open source.
`docker build` is free, and faster to type than the fake outrage in the github issues and the dicator-calling below in this thread.
With docker build comes a whole slew of dependencies that you wouldn't have with official images. You need some place to host the image, or build on the servers you use for deployment, and cross platform compilation (i.e. ARM images) becomes an issue.
It'll take more time than just typing out a comment on HN to get all of that in play. Actually getting a docker registry of your own set up with auth and everything can easily take half an hour, and adding+testing periodic sync and compile steps in your CI/CD will take another couple of hours if you're not set up for it.
Hardly the end of the world, though. Reminds me of the infamous "why can't people on github just give me the .exe" reddit troll post.
https://github.com/coollabsio/minio
I was reading the github discussion and found out that coollabs has taken on the decision to make docker images for these.
https://github.com/coollabsio/minio
https://github.com/minio/minio/issues/21647#issuecomment-342...
>Until we (the community) figure out something, I made an automated docker image version here: https://github.com/coollabsio/minio
The latest release is already available on ghcr and on dockerhub for amd and arm.
Well they have locked the discussion right now it seems but hope the community does something since my brother once asked for how to store audio and I thought that something like S3 could be perfect for it and wanted him to use minio or check it out.
Idk what I will recommend now? Garage? Seaweedfs?
Wow, ~75 lines of Dockerfile and ~300 lines of github actions, hosted on a FREE platform.
Seriously, what is the rage here, anyone could do this.
I hope you have read the github issue page
This was the first person after so so many comments to actually do something about it, and he's from coolify which can be decently trusted with.
Everybody likes to rant and the dislikes on github issues show but I just respect the guy for even taking his time to write this.
Sure you can try to reduce it to LOC or anyone can do this, but did you?
Also there is a trust factor, I can trust coolify's docker image as compared to any other people.
Anyone including MinIO. So why did they stop doing it when it was so easy?
Especially because they haven't provided any reasoning for this decision, so everyone assumes the worst. I can't really think of any reason for this that puts them in a positive light either, can you?
I wonder how many people only use Minio as a localdev S3 alternative.
At least that's all we use it for really
I have a 160TB minio cluster running for 4+ years who had dealt beautifully with node outages, one drive failure and the occassional hiccups on the datacenter.
I was okay with not having support because I am not part of their customer base. I was okay with not having the webUI, though I wish they made an option where the webUI would be available for some basic-tier paid customers. But I can not be okay with this move. They are just giving the finger to all the community. They never tried to work out a solution that could let smaller users to contribute or support.
I will seriously have to consider moving to Hetzner object storage.
What is the problem exactly you are facing now?
Right now, my problem is that I can not update my minio cluster because I do not know of any trustworthy docker image that I can use, and the version I am on is exposed to (at least) one known CVE.
Every time I used it for more than that I ran into performance and other concerns (like durability and consistency) pretty quickly. I cannot imagine how this is used seriously when there is something like Ceph available.
Turns out most file systems are horrible key-value stores.
>I cannot imagine how this is used seriously when there is something like Ceph available.
Adopting Ceph is adopting a Ceph engineer, any use-case with the need and funding to run Ceph on production would easily be able to pay for commercial licenses and/or contribute majorly to this or their own fork. They work in different ball-parks entirely
Yeah CI tests and local dev environments for code that runs against S3 in prod. Right now sifting through the alternatives for whatever is easiest to run as a container in Github actions or docker-compose...
I use it to test my tiny written-from-scratch S3 client in my server app. But then I already have it installed, it already works, and I don't care about updates.
That's how I use it. It seems to also provide a lot of other stuff I don't use.
So, basically, MinIO is dead.
Time to move on, folks. Dead horse is dead. Kicking it will release toxic decomposition sludge.
Fun, I had just started using it as a the data store for a distributed Rust compilation cache, guess we're moving that somewhere else. Hopefully the choice of NixOS as our server OS will make this easier rather than harder.
What alternatives do people recommend that has at least similar features-set and at least similar performance as MinIO?
I made a comment above about some, https://news.ycombinator.com/item?id=45684035#45684826
Ceph is what I think but there are lot of alternatives.
Garage works, has good NixOS support too.
I built my first Slackware box from source.
How times changed.
Sad to break it to you but it was 30 years ago.
We have a tendency to stick to what we know but everything changes constantly and us being connected amplifies that.
I imagine that this makes it much less viable for hobby use, or as a dependency for other open source projects, but setting up a private docker registry and building this image nightly isn’t onerous for any business
The fact that these things are happening at all is enough for us to shop for alternatives. MinIO will be completely gone as soon as we identify the best option and get it rolled out, which should be rather quickly.
If they were hoping to drive conversions to paying customers, they've done the opposite, at least with my employer.
You can't put 3 lines in a Dockerfile but will be "shopping for alternatives", "identifying the best option" and "get it rolled out"? Do you ever get anything done, "rather quickly"?
Their trend towards walking away from the community is a major red flag to me. If we're going to need to swap them out for an alternative at some point, better to get on it now than wait until we're forced to do so.
Boomers stuck behind the times, vendoring their dependencies and even looking at the code they compile. Get with the program already and just push another container!
Strong "Just give me the exe, why is this published as code" vibe :)
...published as code in a printed magazine.
Anyone tried rustfs? https://github.com/rustfs/rustfs
It's still free and available, you just need to run the docker build command yourself or pay them to get their enterprise version.
Well, you can build some parts of it, but the builds aren't the only thing they're removing. Reading some of the Github issues, eg. https://github.com/minio/object-browser/issues/3546:
> We initially explored a basic admin UI for the community branch but haven't actively maintained it. Building and supporting separate graphical consoles for the community and commercial branches is substantial. Honestly, it is hard to duplicate this work for the community branch. A whole team is involved in console development, including design, UX, front-end, back-end, and pen testing. This commit introduces an enhanced object browser but removes the unmaintained admin UI code.
They deleted the admin UI from the current version of the open-source side. It's time to pay the VCs, the project is being rug-pulled and they're going all in on the enterprise version.
? Just build it yourself?
I thought one day in the hn TOP-5 was more than enough for MinIO.
I'm even starting to wonder, should we also drop Docker builds to get the same amount of PR for our open-source project.
Well some say 'all publicity is good publicity', I think in this case it has hurt MinIO more than anything as far as public adoption is concerned.
I believe it's too early to judge public adoption. Let's see in a few years if it degrades somehow. For now, they jumped from 55,880 to 56,319 GitHub stars in one day.
From the product side, I don't see how this should affect new adopters who didn't read the hn post yesterday
Pure anecdata: the fact that this is happening at all has us (at work) looking for alternatives. Once we finalize on the best one we'll swap out MinIO permanently. I can't imagine we're the only ones, but who knows?
If you use this tech, perhaps you could explain what the real issue is behind dropping Docker? I mean, it's still AGPL licensed — why can't you use it from source?
In other words, what is the significant difference for your team that's worth changing the stack and navigating through the uncertainty of an alternative product?
Part of it is the trend of MinIO walking away from community customers. That to me is not a good sign, especially when it comes to project longevity. Do projects that do this kind of thing continue to flourish and thrive? I'm not sure that they do.
It's hard to feel good about remaining hitched to a horse that continues to send out red flags, especially when there are other good options out there for us.
Thanks, so the reason is that you are not confident in this open-source offering anymore.
Ease of setup and certified working solution. And yes, people should pay for certified working solution. But not when they use it the first time itself
Yes, I understand that Docker is easy to set up.
However, I also understand that for any organization it is very painful to change their existing stack, thus I'm trying to understand what is gained between AGPL sources without Docker and switching technology to something different with Docker except 'ease of setup'.
A lot of small shops will find it easier to shift to a compatible S3 object storage which have their own docker compse scripts up and running than figure out how to build minio images successfully. Most products nowadays gives you ansible and docker scripts which can get you up and running inside an hour and then you can configure stuff later.
Building something on your own on the other hand is probably easily a half-time engineer just for build quality and dependency tracking.
Huge number of MinIO shops is one head node and 7 jbods in a single rack (giving you more thsn 10PB). And two such racks for redundancy and one offside rack for backup.
Not in this position, but obviously this might be the first of many measures taken. Next they could make the repository private. Code is only for customers, Red Hat style. It's not as popular as RHEL - a CentOS style effort is unlikely to materialize. Bug tracker and forums private. Lawyer letters about whether or not your usage is license compliant and a reminder that it would be expensive to prove it is, Oracle style.
Open source means what the license says it means. Expectations and conventions can be broken.
Most of people here put an equal sign between being open source and having Docker image.
For me open source is a license, and Docker is a distribution feature. From this prospective I can not understand how distributional channel and type of license are related, as code is still AGPL.
Well code is open source but providing well-engineered solutions (which is what tested docker images are) is good engineering.
And by removing docker images, they are intentionally making open source version a badly engineered version.
GitHub stars are useless metric.
If stars are useless here, I see that only one contributor is left after all that happened yesterday (505 to 504).
It's not changing the fact that it's too premature to reflect on public adoption at this moment.
Almost as useless as docker pulls, and MinIO claims both as vanity metrics.
OK, have a look at GitHub contributors metric. 404 today, 405 yesterday.
Just to clarify, I'm not affiliated with or protecting MinIO, I don't know anything about this software. But it seems to me that there's some overreaction about Docker here, and in reality it is highly possible that this decision might not affect the product the way it's being discussed these days.
Are those active contributors or lifetime contributors? And don't those counts leave out anyone who doesn't have a github account or doesn't associate their got email with their github account?
I'm not sure that GitHub provides those metrics, unfortunately.
Baffling considering how much they charge and how easy it is to get that info just from the git repo data.
I'm glad to have migrated to garage in time. This is quite unfortunate though as a lot of open source projects, like plane.so, used minio via container images for s3 with docker compose.
What did you lose exactly, I don't get it.
Minions has taken away the admin UI for everything except a bucket browser in one of the last releases.
And now they have stopped publishing updates to their community edition docker images. As the linked GitHub issue points out this now means at least one vulnerability will be unpatched (unless you install from source or switch the image) for anyone relying on updates to the original container image.
My loss exactly was that minio lost most of its appeal when it stopped having an integrated management console. It also seemed they were moving into a direction where features were gonna be more separated off for their aistore products over the community edition (a fair move but not something I want to happen to my deployment).
thoughts on https://github.com/coollabsio/minio ?
I feel like this could be used till the time plane.so or other projects feel like they could migrate to garage or maybe just use these coollabsio minio docker image?
My problem was mostly that MinIO was not significantly better for my use-case then garage after the admin console was yanked. Thank you for the pointer though, I will take a look at this for my plane.so instance (using a private containerized minio there still).
While not notifying of the change earlier is annoying, I also don't see anywhere stated that they're obligated to provide services in addition to just providing me the source. Moreover the build-instructions don't seem complicated at all, anyone already extracting value from this should be capable of pulling the source and keep on running with it.
Maintaining docker builds isn’t that huge of a burden (and likely very useful for them too), and they’re delegating hosting to a third party… I don’t get what they’re trying to achieve here.
They're trying to force some free users to pay them for binary builds.
Are they?
I even checked the pricing page, and there is no mention of any builds as paid features.
https://www.min.io/download?platform=docker
https://docs.min.io/enterprise/aistor-object-store/installat...
So I suppose those are official binaries which require license to use.I mean, what's the difference in pricing between AGPL and a commercial license? €50k/year? €100k/year?
Do you think Docker binaries are something that could hypothetically drive conversion from AGPL users to commercial licenses?
There's definitely an air of desperation here. It's not going to work but they have to try it anyway.
I am really interested in this case, as I cannot imagine any commercial benefit from this decision.
Free users will not pay tens/hundreds of thousands for just binary files.
Obviously this will slow down the adoption of the AGPL version, against which the growth of the paid version potentially will look better in Excel reports for VCs, but something tells me that this is unlikely to be the real reason.
It's not just binaries. The goal is probably to get freeloaders into the sales funnel where salespeople can work on them about the value of the entire enterprise package, especially security and support. Even if sales doesn't work on you it does work on a lot of people.
> Free users will not pay tens/hundreds of thousands for just binary files.
Sad to say but this isn't true. This is a failure to understand the pricing model of this kind of enterprise software.
What happens is the free version is used in some product somewhere. Then product's company gets acquired by HugeBigCo. Product company brain drain happens and HugeBigCo looks at poorly understood free software dependency as a liability. It's cheaper/better-on-the-balance-sheet to pay for a license and a support contract than to move off of that dependency or hire competent people to look after it...For a few years, anyway -- until that business unit is worth investing resources in.
That's how a company like Neo4j can charge a half-million bucks a year for one production cluster and get HugeBigCo as label that they can use to try to convince other companies that this pricing is even remotely reasonable.
Anything enterprise data-storage SaaS related is looking to charge at least a quarter-million a year.
I'm not sure, I still follow how the removal of Docker is beneficial for business. (not on drugs)
You mean, having MinIO through Docker is like auto-pilot, and without it requires maintenance (that is obviously easier with a commercial license)?
Money
this. They want to show more paid subscribers to VCs and enabling open source is eating their lunch
On one hand, MinIO isn't obligated to anyone... on the other hand, there's a lot of people who now feel obligated to not use MinIO anymore. Given that MinIO won't patch their container images, are obligated in many cases. A Dockerfile that actually builds instead of copying binary blobs should be as simple as one that executes `go build`. So a fork that just adds that one step seems inevitable. Seems such a waste on many levels.
We moved to Seaweedfs around one year ago and I couldn't be happier. It also fixed all of the performance problems we had on MinIO.
Lots of people in this thread keep repeating the idea that, "Nobody owes anybody anything".
Sure, just like nobody owes minio goodwill or business. People sour on these kinds of things because they feel sneaky and backhanded. It tells you something about the kind of people you're working with.
Imagine if a food kitchen suddenly started charging for the food, without notice. Or they started charging to use changing rooms in clothing stores. Etc, etc. You'd, rightly, expect a negative reaction, even if the "food kitchen doesn't owe anybody anything".
The biggest misstep in these situations is the corporations avoiding being honest and communicative about why the changes are suddenly necessary. We all know, intuitively, that in most cases its because it's not for a good reason. It's because they are greedy or otherwise feel pressured to show infinite growth.
It is unfortunate, but somewhere you need to draw the line, if you are planning to stop releases. If they fix this, how about the next? Why fix this one but not the next CVE? Is the reaction same next time and they end up fixing endlessly?
IMO they should've waited at least a month after updating their README. The timeline is rather short.
It'll be hard to convince people to buy their commercial offering after pulling something like this.
On the other hand, they did the work for free, so it's up to them to decide when to stop doing that. Plus, anyone can fork the repo and maintain their own version with fixes and docker images and everything.
I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.
What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.
> Leaving a known unsafe version as the last release is irresponsible.
I think they should have done a better job of announcing this ahead of time (or at all, really); but there's realistically never going to be a CVE-free release to stop on, because the next CVE is just around the corner.
I'm not sure why I got downvoted here. Minio's behavior here is shitty - but in a day or a month after the last image is released, there /will/ be a CVE that affects that image. By GPs statement, when are they then able to stop releasing?
Probably because it's a meaningless platitude like saying the only safe computers are offline ones, it doesn't address the issue at hand.
Am I getting this right - someone has been providing things for free for a long time and now people are complaining that they are relying on getting things for free and the "someone" cannot just change this?
What are folks doing who were just using it for CI/test/dev environments? Just build the image yourself? Use Garage as some have suggested? I'm curious what people see as the pros and cons.
Why? The maintainer in the link chooses to be a dick and refuses to explain literally any of the weird decisions they've been making. That would at least help people understand?
Just use Garage. https://git.deuxfleurs.fr/Deuxfleurs/garage
This reminds me about the bitnami containers. They pulled the docker images so everyone migrated away because they fear they will also pull the artifacts building the project. They never said that. They seem to be continuing to updating the projects and providing access to the artifacts. It is very easy to build the dockers... it is just a dockerfile really... There is really no upside to stop updating the projects, it is free marketing...
This is interesting. I've recently been doing quite a bit of research into what my "future stack" is going to be for backend. MinIO regularly came onto my radar but one heuristic (among many) I use to determine which software is TRULY open source and which is far less likely to remain open source is whether they even provide a link to their Github page and prominently display it on their website. MinIO was triggering my "not really open source" radar for this reason.
I'm still dabbling but have kind of latched onto the idea of using Ceph. To my understanding they were acquired by RedHat, and the project has all the signs of real open source, including the fact that it originated as a doctoral research project at the University of California, Santa Cruz, with initial funding from the U.S. Department of Energy.
At this stage I’d be hesistant to build anything on top of minio
Shame. Textbook OSS rug pull. These people love to rely on OSS, and claim how committed they are to contribute to the ecosystem and to their community, but as soon as people are drawn to the project, start relying on it and using it in the same spirit of OSS that they enjoy themselves (which their chosen license allows, mind you), then it becomes a financial burden, priorities shift to their commercial offering, there's no "bandwidth" to maintain and support the "community" edition, and so on.
STOP ABUSING OSS AS A MARKETING GIMMICK.
Or perhaps an advice to people who might actually listen: stop being attracted to open source projects because of the word "open", and because you can use it gratis. There are plenty of good proprietary and commercial software whose authors treat their users with more respect than these leeches of good will and abusers of trust.
I'm not against OSS being commercialized. In fact, I think that it's crucial for maintaining a healthy project in the long-term[1][2]. But this lingers on the developer having respect and equal regard for all their users, regardless of how much they're paying them. Yes, nobody working on software should be expected to work for free. But there is a philosophy behind this movement that goes beyond a financial transaction. It only works if everyone in the ecosystem is honest, and first and foremost has the intention of making the world a better place for everyone, by not only depending on others who have this mindset, but by adopting it themselves. Claiming to be part of the OSS community, but being hostile to your OSS users is dishonest at best, and worthy of all criticism.
[1]: https://news.ycombinator.com/item?id=45540307
[2]: https://news.ycombinator.com/item?id=45537750
>It only works if everyone in the ecosystem is honest
In general, applying this to anything with the general public, I don't expect it to work. This is why we have laws, licenses and rules in the first place. You can preach all you want but it won't change humanity, you need something concrete, something written and agreed, like a license.
Not all licenses protect the freedoms and rights you're used to in other licenses, and it needs to be taken into account when adopting any project. License terms that don't guarantee any sort of support or updates when you need them aren't in consideration at that point.
If you don't trust people, then OSS is not for you.
You can't claim to provide software as a public good, while also gatekeeping it only for specific groups of people. If you want to do that, then choose a restrictive license, with the exact terms of use you're comfortable with, and don't work in the open to begin with. That is a valid strategy if your main priority is getting paid.
My objection is towards people who use OSS licenses, but then take issue when others actually use the freedoms they've granted, and proceed to enshittify the project by removing features, putting them up behind a paywall, and in general being hostile and ignoring the user base they've gained in large part thanks to OSS. This is using OSS as a marketing tactic, which undermines the whole point of open source and the free software movement.
Isn't your diatribe contradictory. Your last paragraph appears to contradict your 'beliefs'.
Full disclosure: I work for Cloudian.
While I understand the frustration with MinIO’s approach here, I want to be upfront about what Cloudian HyperStore is and isn’t - it is designed for multi-node, multi-site deployments (think 3+ nodes minimum) and performs best on bare metal or dedicated infrastructure rather than containerized environments.
It’s a very mature S3 and offers IAM, SQS and STS endpoints as well.
If you’re running MinIO at scale in production and looking at migration options, I’m happy to connect you with our team who can discuss whether HyperStore makes sense for your use case. That said, for single-node dev environments or lightweight deployments that many here are using MinIO for, the community alternatives mentioned in this thread are probably better fits. Different tools for different scales. Happy to answer any technical questions about HyperStore’s architecture if helpful.
What is Cloudian? You guys didn't develop Minio did you? (Google says Minio Inc?) If you did it's hard to tell.
No, Cloudian did not develop MinIO - completely separate companies. MinIO was developed by MinIO Inc. Cloudian makes HyperStore, which is our own S3-compatible object storage solution. We’re a competitor to MinIO, not affiliated with them in any way.
Ah I see. Will check yours out.
#ad
I was not familiar with MinIO until this post and I see now 694+ upvotes!
Can anyone give me some background on why MinIO is/was so used? So many people want to self-host S3 compatible software? Just asking, very curious about the whole thing!
this sucks because now im forced to make seaweedfs and ceph work haha
seriously, minio sucks perf wise but they really did a good job making it easy to deploy with docker
It seems like they've pivoted from being a FOSS alternative to AWS S3 to whatever AIStore[1] is.
[1]: https://www.min.io/product/aistor
Just make a fork and release built images via github actions with ghcr. Then ask people to switch to it.
The great thing about open src is the ability to walk away. removed features in new release? fork and put it back. quit complaining and be the change the world needs you to be
https://github.com/coollabsio/minio
Can't emphasize on it enough but I trust the coolify team enough. Lets all jump to this ig
There are people who are being the change they want to see, thanks coolify team.
back in the day, I had an automated Github action that would pull and build a polyfill.io image every time there was a tagged release
You don't even need to fork the project, you can just extend / distribute
Quite a downward spiral for them. Wow. I mean I get the yearning for turning a profit, but this is yikes. This is the type of thing that guarantees most people using your open source / free variant never return.
Getting it from source is as easy as `go install github.com/minio/minio@latest` if you have a recent Go.
In addition your favorite Linux distribution probably has it as from-source builds already.
For a container image you could try making one from Alpine or Wolfi.
I regret recommending using at in our team.
This move can’t be anything else other than malicious.
MinIO was already before tricky because their interpretation of the AGPL is way to broad.
I like the GPL it has given us a lot.
I am guessing here but I do understand why they want people to open source the management code of minio and in some cases how it is integrated into a product. I understand that AGPL might not be written for these requirements but I think it is time for a new such license.
If it is part of a SaaS product that is sold I can definitely understand why this is important.
Do you have a link? I want to read more about that. Did they interpret any use as deriving from minio?
They changed their public guidance at this point, but you can still find references to their approach to AGPL quoted here: https://news.ycombinator.com/item?id=35328316
> "When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
Yes, the page at https://www.min.io/opensource no longer contains this phrase. It sounds reasonable now. I guess they talked to a lawyer.
Archive link: https://web.archive.org/web/20230327211209/https://min.io/co...
Did they ever get permissions from their contributors to switch to AGPL? Last I checked they did not. They didn't require a CLA either.
So no matter what they claim large parts of the codebase are still apache2.
It wouldn't matter anyways, you cannot relicense historic releases.
It does matter, since the current AGPL license status is questionable at best, they did not have permission to relicense code added by contributors. This is why CLAs exist.
If you don't have a CLA you just end up with the new changes being AGPL which creates a mixed license amalgamation which in practical terms regresses down to the stricter of the licenses which would be the AGPL.
It's sad to see a company that built itself using (and yes I purposely choose the word using) the community abandon the community in pursuit of maximal profit.
Item 15 of the license states:
They have no obligations to provide documentation, binaries or anything beyond the source code.I personally think this is a better option than migrating from an open source license to a source available and I would like more project adopt this approach from the beginning of their projects, to set people's expectation right.
Which would be very relevant if anyone were trying to sue them for this - which no one is.
The license establishes the limits of legal requirements and responsibilities. It doesn't shield you from criticisms and people being annoyed with you.
Incidentally there is a open source S3 project in rust that I have been following. About a year ago, I applied Garage images to replace some minio instances used in CI pipelines - lighter weight and faster to come up.
https://github.com/deuxfleurs-org/garage
Shameless plug: try Minimus! Minimalistic and always updated container images. We have the MinIO image and it is always up to date. https://www.minimus.io/
I think Minio is the only Go client for S3 API and S3-compatible APIs. I cannot say I liked using it, but I had no choice. Nowadays I run my own file storage with my own API, so I no longer care.
But if anyone wants to run their own file storage(so not a client), there is https://github.com/seaweedfs/seaweedfs
I've used the minio-go client library for about a year now. I don't see anything in the minio-go README or elsewhere to make me think it will no longer be supported. In fact, the most recently merged PR was yesterday. There are some other Go S3 clients, like https://github.com/kelindar/s3, but I don't know if any other Go S3 clients have the complete set of features that minio-go has.
Surely there's github.com/aws/aws-sdk-go-v2 ?
Just run `docker build` yourself. Why does this non-issue spawn dozens of comments? This isn't some impossible-to-build Windows C++ project.
https://garagehq.deuxfleurs.fr/
minio is guilty of a lot worse sins than pulling a docker image -- hate them for those, not because it's more inconvenient to run.
Surprised by the entitlement of some people. This was FREE labor they were providing, it was never going to last forever.
They created their business on open source. Free software was their top of funnel. Free customers become paid customers, and fund the business. They are more than welcome to change this, but there is no way they don't end up with egg on their face, and that's what we're seeing here.
Recently adopted the Go MinIO SDK to abstract cloud-specific APIs. Really hoping the SDKs don't get a licensing change or yanked next
there's still gocloud.dev/blob ...
I hadn't seen the news about MinIO yet.
For others that are surprised by this, it seems that there is a fork of the UI called OpenMaxIO
https://github.com/OpenMaxIO/openmaxio-object-browser
Render also pushes MinIO as their recommended equivalent to S3 for their customers (using docker), similar to Bucketeer on Heroku.
https://render.com/docs/deploy-minio
Hopefully this will finally push Render to build their own S3 wrapper.
(Render CEO) We're prioritizing Object Storage independent of this move.
In May, they pretty much said they will not maintain the "community version" anymore.
Exact quote: "it will remain as is, and will only receive security fixes if any”
https://jamesoclaire.com/2025/05/27/how-to-self-host-your-ow...
They've also tried to claim AGPLv3 will infect any networked client code too: "Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations. The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO." -- they've since removed that, utterly unsupported, argument, but the lesson to take home is they're really trying to prevent any non-paid use.
It really is time to stop using Minio.
garage and for the minio gateway (RIP) i use versitygw
Have been looking for minio alternative for long already. Found versitygw lately and would like to share the joy. It feels very promising. Fits to many small or lab use cases.
It does not actually solve the trickiness of managing large storage but relies on the backend (that is usually fs like zfs in small setups).
However, seems to be quite new project plus the risk, that the owning company takes it to bad direction, is there too.
https://github.com/versity/versitygw/
I've switched to garage and it's been absolutely fantastic. I don't know if it has a UI yet, but it's been rock solid.
Garage for s3 emulation is a great tool. https://garagehq.deuxfleurs.fr/
To everyone who gets blocked by this: I prompted Haiku 4.5, Anthropic's cheapest current model, in Claude Code with "Read this github issue: https://github.com/minio/minio/issues/21647 I need a new docker image for the latest minio version. Make it so.". It wrote a Dockerfile, I asked it to build it (not only am I incapable of finding and downloading the Dockerfile from the repository myself, I'm even incapable of remembering how to "build" a "docker"file). It spew out an error which the cheapest model promptly fixed and gave me an image.
You need to be able to do this personally or you should not be running a durable storage cluster in-house. Just pay AWS. You need to add more value to your employer than you cost, and if Anthropic's cheapest model can beat you at such a task then it's not a good look.
> you should not be running a durable storage cluster in-house
If you’re running Minio, odds are you have interesting use cases that are not filled by S3. I wouldn’t make such blanket statements.
I don’t think anyone is surprised that an LLM can help you here either.
I'm trying to be charitable here, but you're being incredibly obtuse in your response. The issue here is very much not that someone has to build a Docker image. There's already a Dockerfile in the repo that works to build it, you didn't even need some LLM to do that for you. That's not the issue. The issue is that their existing Docker image has billions of downloads and they simply stopped publishing updates unilaterally with no material attempt to communicate this to their users when the current image is affected by a critical CVE that will now never be fixed.
If you don't understand the difference between these two issues, I would suggest it is /you/ that lacks the ability to add sufficient value to your employer (as if that's even a standard we should care about We are people, not merely cogs in some VC's wet dream).
The LLM stuff aside, how is minio supposed to communicate with the people who pulled their docker image?
The time line is rather short (the README announcing source only releases got updated a week and half ago) but it's not like Docker will let you email everyone and say "you're using one of our products, read this post about our new distribution model", probably for good reason. I can only imagine the "vulnerability" warnings flooding the world if every pulled container opened an avenue for emails.
I wouldn't buy their weird AI product off them after they behave like this, but this is software they've been maintaining and giving away for free, for years. Unless you have a contract with them where they promised maintenance, I don't see why this is on them, really.
The company can go bankrupt tomorrow and you won't even be able to pay them to update their images. Maintaining your dependencies is your responsibility, especially if you're not paying them a dime.
You're taking an all or nothing approach, when that isn't how this actually works. Software lifecycle management is part of product management 101, and generally how this is handled is you provide /advanced notice/ before an action is taken. Will this fully solve this issue and guarantee notification to every impact user? No. Will it help some of them and show a material attempt to be a good steward and act in good faith? Yes.
Some actions that they could have taken but didn't:
* Post a public notice on their website with a set date 90+ days out for when they'd shut off CI and stop producing new images
* Add a line to their Docker init script that puts out a deprecation notice with the same date 90+ days out to STDOUT that will get seen/logged on systems using the image
* Send direct communication to their paying customers via email or generated support tickets notifying them of the upcoming deprecation and that they need to switch their deployments to a new image source on a set date 90+ days out.
They could have done all three of these things, they could have done other things also. Most importantly, anything they do should have time for people to digest and respond to the action in a reasonable manner, you should not rug pull people by unilaterally changing something with no prior notice, only telling people about the change as it happens, and immediately causing a problem (no forward path for CVE fixes).
A developer not offering builds themself is a common thing in package managers, like apt or pacman. I don't get why it should be any different for Docker images.
I've been testing the RustFS product for over a month now. While there are some minor bugs, Rust is very stable.
Why didn't YC invest in such a great product?
/me waiting for all complaining about lack of docker image to step up and start providing those images ]:->
Open source is sick. Everyone wants it (both to maintain a successful project, and to use them) until you maintain a popular project for a reasonable time then your realise you're getting used for fuck all value.
We need a healthy way to support open source developers. This isn't working. Companies are taking advantage, and individuals are overwhelmed with choice and have delusional expectations.
It would be cool if The Linux Foundation had a fund to support open-source devs with stuff, like a stipend or hosting costs, kind of like what exists in the hospitality space. I know that this sort-of exists, but it feels distributed amongst a few big companies and is entirely at the whims of their quarterly performance.
No need to get mad or upset about this at all, MinIO is telling us exactly who they are:
They want to be a commercial software vendor, and they don't like open source.
As long as they aren't advertising their product as open source, I don't see an issue.
Is there a fork already?
Do we need a fork? As an example, ffmpeg is source only for mac and windows, which just means someone else is building and distributing binaries.
They changed their license to AGPL, removed features (Web UI, etc.) and now they don't provide docker images/binaries. It's their project but; what's next?
Obviously they will eventually no longer license AGPL at all. It's wild to me how this can be a surprise to anyone, this entire company has been one gigantic red flag for years and that's just what's publicly known. It's a legal department with a software product as a side business.
> what's next?
Removing existing Docker images? Seems unlikely.
It seems crazy that docker hub images are not immutable. Makes them really unreliable.
What for? The code hasn't changed, it's AGPL-3.0. They just don't release their own binaries or docker images anymore.
There is perhaps a need for a fork because of their recent removal of features (unrelated to today's post): https://github.com/minio/minio/issues/21584
Demanding people do free work for you, like starting a fork on your expedited schedule is quite juvenile.
Forks take time and effort from humans to maintain.
Where did you see a demand? The comment you're replying to merely asked if there is a fork.
The inclusion of the word “already” suggests that someone should have put forth effort to fork this project by now.
That’s where I interpreted this as a demand.
I took it at face value - “has someone already put for the effort?”. You know, assume positive intent and all that.
not sure that word means what you think it means
I used MinIO for local dev. I can use S3 or R2 in some cases instead. Kinda crazy to find out that people use these Docker images in production. Why on earth would you do that?
Just build your damn image if you need it.
They don’t owe you anything.
Reasonable.
That seems to be the key word.
One camp argues: Expect nothing. Move on.
The other: Could they - with very little effort (reasonable) - have choosen a more palatable route.
There must be a middle ground between the nihilists and the pampered.
> We’ve started distributing our software for free
> nice
> We’ve stopped distributing our software for free
> How dare you!
That is not the problem here.
You're right. This is like they've stopped offering free gift wrapping. You can take it home in the plain package for free if you want.
It's been talked to death in other threads already, but typically when you provide a service, even if it's free, it is polite to give warning that you will stop providing said service in the future.
If they are trying to push people to commercial services I typically attempt to steer away from companies that make rash decisions with a moments notice, rather than ones that would leave you high and dry.
> It's been talked to death in other threads already, but typically when you provide a service, even if it's free, it is polite to give warning that you will stop providing said service in the future.
They actually did that by saying that there are no new releases planned and new releases may be cut at anytime and everyone uses them at their own risk.
https://github.com/minio/minio/commit/9e49d5e7a648f00e26f224...
… that commit is from last week. One week is not at all a sufficient warning, that’s rash and makes them look quite bad. Practically manic.
I built my own S3-less Minio alternative few weeks ago, should I open source it?
It's built using Rust and React Router.
Just playing around with it
More projects should do this.
It's ok, just don't use them anymore if you don't like it. I will switch to something else.
Any recommendations for a simple S3 implementation for a local docker-compose development setup for mocking S3? Ideally with a nice UI to check/manipulate files.
what a terrible turn ... screw 'em
so what're you folks moving to? spinning up a local minio instance was what I always sprung for when doing local testing of s3 things...
Edit: 9.4k stars. Looks compelling. https://github.com/rustfs/rustfs
We'll just build our own docker image, it's not a huge task
This is a clear Rugpull and Enshittification, no matter what perspective you have.
Imagine having to build LibreOffice from source to get it installed
e.g. on Windows
Not bad as long the scripts as there.
Once again people will find out that no software should be free.
Since the whole docker thing where people were complaining about having to pay 10USD, I am happy when OSS projects pull the rug, tech bros you're paid to solve your company's issues, nobody in OSS owes you anything, go earn your salary and build the docker image that fix the CVE, or stfu
We all know you don't care about loyalty correctness or anything, you just someone to do the work you're paid for
Spot on. The number of people who are seemingly completely lost without a free DockerHub build is terrifying. Maybe it explains why software quality has degraded so much over the last several years.
are you saying there's a bunch of human centipedes bopping around here who are both the people who would do the minio rug pull as the ones who complain about not getting free services?
It is hardly a rug pull, when they are still giving away the full source + the actual Dockerfile, so you know, you can build the image. In either case, if you are not running your own registry and are unable to build an image, but still complain about this minor issue...you are probably in the wrong business.
pffff how boring
What did MinIO say to Wordpress? "hold my beer"
Still don't get why on earth anybody would run a Docker version of MinIO in production. And why is this even a problem. Not like you put a private storage service on the Internet? Or do you? The incompetence of the average HN user is just mind blowing.
[dead]
[dead]
[dead]
[flagged]
Could you elaborate please?
Why is DHH being mentioned?
Nothing to do with MinIO and their docker builds...
Take your pitchforks and your internet hate-mob somewhere else, please.
lmao
they dont learn anything after redis case are they????
I never understood Minio. Why not just use S3? Why not just use Ceph?
If you need just the interface for dev environment, I am sure Claude can cobble it together in 1 day.
This seems like a maneuver of a dying company.