MinIO stops distributing free Docker images

Maybe someone else somewhere is getting some unbelievably sweet deal but what I've seen from cloud discounting is more in the "single digit percentage" range than "2/3rds off" or something.

How to not pay full price on AWS? We pay $10K+ per month and nobody gives us any discount.

I guess it's a good thing I'm not talking about list price. Do you really think when you're doing a cost comparison of AWS S3 to NetApp or Dell object storage a fortune 500 says: go ahead and use list pricing for the comparison? We plug in their existing discount structure... because otherwise it would be a rather pointless exercise for everyone involved.

Agreed and for most smaller use cases theres always b2 from Backblaze.

Is anyone getting discounts on S3? There's easy ways to save on compute like reserved instances but I haven't found anything for storage other than the tiering system.

That, in itself, should be plenty of reason to stay the hell away from it.

free software until mainstream acceptance. naive MBAs call it leaving money on the table, Microsoft calls it a monopoly-preserving strategy. no VC has the balls to go for the jugular anymore.

Is open source and making money in conflict? If they do a good job, I am willing to pay.

it used to be that people started businesses so that they could help others by providing a product or a service to them.

late stage capitalism arrives when people create businesses solely to get rich, and when other companies are created solely to get rich by helping those people create their companies so that they can get rich. that's what ycombinator is.

most of capitalism used to be symbiotic. engaging in transactions with businesses benefited both the business and the consumer.

now we live in a world where most or all of the benefit goes to the business and none or almost none to the consumer.

Here an S3 compatibility table https://garagehq.deuxfleurs.fr/documentation/reference-manua... comparing

  - GarageFS 
  - OpenStack Swift
  - CEPH Object Gateway Rados
  - Riak CS
  - OpenIO

The benchmark against MinIO is nice, but I don't care much for the table vs. "Other object storage" which seems to try to aggregate all the worst points of all the others with no citation (e.g. why should I believe RustFS has no intellectual property risk but others do? What's different about them to back that up?).

This comparison reads like it was written by an adolescent. The first row immediately reminded me of the classic meme[1]

[1] https://imgflip.com/memetemplate/460629937/our-blessed-homel...

There are a few challenges with open-source projects that want to also be commercial entities.

One is obviously knowing what you can add-on that people will pay for; support, for one, but people want more features too. What could minio have built on top of their product to sell to people? Presumably some kind of S3-style tiered storage system, replication, a good UI, whatever else, I'm not sure.

The second is getting people to actually know that that's an issue. I work for Tigera which publishes the Calico CNI for Kubernetes, and one of the biggest issues we have is that people set up Calico on their clusters, configure it, and then just never think about it again. A testament to the quality of the product, I'm sure, but it makes it difficult to get people to even know we have a commercial offering, let alone what it is and does and why it might be beneficial.

I could see the same thing for Minio; even if they have a great OSS product, a great commercial offering on top of that, and great support, getting people to even be aware of it in the first place is going to be a huge challenge and getting people to pay for it is even harder.

It's sad that they went the completely wrong direction and started taking things away from the community to force people to the commercial side of things whether they're willing to pay or not.

I reckon they gave away too much, and are clumsily rowing it back.

Gitlab seemed to do a good job of navigating a community edition as an on-ramp for sales. But it's obviously a lot of work to maintain that edition, and VC must be feeling less geenerous than 10-15 years ago.

e.g. maybe if it were my project I'd have kept back the S3-compatible ACL support and put in something super-basic. Or even cluster support. Right now it feels like they're cutting off everything they can while still being able to call it "open source".

An analogy to making a physical tool doesn’t really work because we have to basically describe what software is in terms of exceptions to the analogy.

If I had a ratchet that, every time I turned it, I had to pay $.1, but I’d gotten it for free, but it was basically free to replicate, but the person who designed it did have to spend some significant work on R&D for the thing… I have no idea how I’d price that or how I’d feel.

did you buy the ratchet?

that's why you'd be pissed.

Let me introduce you to Splunk and enterprise software in general

You effectively do pay per turn of the ratchet. It doesn't last forever, will eventually break, and so you can amortize the cost of the device over the number of turns you expect it to make to get the per-turn cost.

Software on the other hand does not naturally wear out, in the same way physical objects do.

Nuantrix distributed a version that was still Apache licensed and merely failed to disclose they had made changes.

This is after MinIO asserted that Weka had also stolen their AGPL-licensed code, showing that they extracted binaries from the distribution. They forgot that that 3-month old (unmodified) version was still Apache licensed though.

MinIO generally don't seem to consult lawyers often. They haven't even set up copyright assignment / CLA immediately after switching the license, so technically they are also incapable of selling AGPL license exceptions just like everyone else.

I've done my best to keep MinIO away from most infra I manage, not because of legal concerns but because it was kind of obvious they'd eventually go full scorched earth and either drop images or the source code distribution all together. Maybe now we can all move on to a fork, or SeaweedFS, or Ceph, or literally anything else.

That just means the fork would also need to be AGPL licensed, and the owner of the fork wouldn't be able to also sell a proprietary version with additional "enterprise" features. And IMO that would be a good thing.

I think it is unlikely a single entity would do that. But a coalition of current MinIO users might get together to create such a project, perhaps under the Auspices of a foundation such as the Linux Foundation. Although, I think that scenario would be more similar to OpenTofu than Valkey.

maybe they got paid in exposure

It can be correct and true while at the same time being bad-faith and user-hostile.

"That expectation does not entitle anybody to anything though."

This is true legally, but not otherwise (socially, practically)

"That is their decision. Without any contract or promise, there is no obligation to anybody."

Again, true legally, but IMHO a really silly position to take overall.

Imagine I provide free electricity to everyone in my town. I encourage everyone to use it. I do it all for free. I'm very careful to ensure the legal framework means i have no obligation, and everyone knows i have no obligations to them legally. They all take me up on it. All the other providers wither and die as a result. 15 years later, i decide to shut it all down on a whim because i want to move on to other things. The lights go out for the town everywhere.

Saying "i have no legal obligations" is true, but expecting people to not be pissed off, complain, and expect me to not do this is at best, naive.

Calling them entitled is even funnier. It's sort of irrelevant if they are entitled or not, after i put them in this position.

Legal obligation is not the only form of obligation, and not even the interesting ones most of the time.

More importantly - society has never survived on legal obligation alone.

I do not think you would enjoy living in a world where legal obligation is the only thing that mattered.

Have you not seen some of the replies at the link?

For example:

"You are joking ?!

The commit about source only is 4 days old (9e49d5e)

We are currently paying for a license while using the open source version, you already removed the oidc code from UI console and now docker images. We are not happy by this lock-in. We will discuss this internally, but you may loose a paying customer with this behavior."

I think if you analyzed your day to day life you'd be surprised with how many reliances you have on norms and social contracts. I personally don't want to live in a world that depends on an explicit legal basis for every single thing, and I doubt you want to either.

The GP didn't say it entitled them to anything, but that it created a sense of entitlement. You are correct there's no contractual obligation to do so, but it was likely a part of the decision to go with their solution, i.e. "they make it easy to deploy!". It is a very logical conclusion to say "they just made it HARDER THAN BEFORE to deploy".

Promises are not always explicit written permission; that's why I got in trouble for re-broadcasting major-league baseball with only implicit verbal permission (thanks, Simpsons!)

> That is their decision. Without any contract or promise, there is no obligation to anybody.

Even as a paying customer on a $1m/yr contract, still using the open source distribution because AIStor is not something we are keen on, we were not informed whatsoever.

They were well aware we were still using those container images, and we were by far the only paying customers doing the same.

This is malicious.

> > When you always published and built Docker images for the public you are creating an expectation

> That expectation does not entitle anybody to anything though.

Note that implied contracts do exist, and sometimes expectations based on prior conduct do suffice to form an enforcable contract. In this case, I don't know whether you can reasonably make that argument, but that's never stopped enterprising lawyers before.

https://en.wikipedia.org/wiki/Implied-in-fact_contract

“I’m not legally required to be nice” has become a classic and very common HN/Reddit argument. While true, it’s kind of beside the point. People often go beyond what they are legally obligated to do, and other people often expect others to go beyond what we are legally obligated to do. This is about nice vs. not-nice instead of legal vs. illegal.

Calling out shitty behavior doesn’t mean you felt “entitled” to anything.

Not all shitty behavior is governed by contracts and licenses. You can be an asshole without violating the terms of a license.

> Without any contract or promise, there is no obligation to anybody.

When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with. There was no contract or promise. The fact you're paying for their service doesn't buy you these rights either. Those are just the terms of service both parties have agreed to.

Similarly, open source software is much more than a license. There is a basic social contract of not being an asshole to users of your product, which is an unwritten rule not just in software and industry in general, but in society as a whole. The free software movement is an extension of this mindset, and focuses on building software for the benefit of everyone, not just those who happen to pay for it, or those who meet your specific criteria. Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it. And your point is that that people who complain about this are entitled? Give me a break.

If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.[1]

[1]: https://news.ycombinator.com/item?id=45666757

> I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free.

Does it make you less frustrated to remember that humans are pattern recognition machines and our existence is essentially recognising and adapting to patterns, and so when someone does something repeatedly - regardless of if they're doing it for free - humans will recognise a pattern and adapt to it.

This is an inevitable consequence of coexisting with humans: if someone does something repeatedly, it creates an expectation. This is how learning works. If someone stops doing something, people are going to mention the consequences of their expectation not being met. Framing that as entitlement doesn't seem productive, especially in situations like this where it looks like the change wasn't properly communicated.

I don't think there can be a world where humans are able to learn/adapt/be efficient whilst not having expectations.

I believe there could be a world where people don't get pejoratively labelled as entitled for expressing the inconvenience caused by having functionality removed.

> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.

Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.

If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.

Is it malicious? I don't know. I prefer to believe in Hanlon's razor. Is it irresponsible? 100% yes.

> Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company

so its a communications issue? if minio or whoever explains this, OK. that's not what happened, so it's not what happened.

If it were for a feature request, it would feel more justified. People feeling entitled to making feature requests is one thing. Like they can get fucked. Contribute code or pay me. But if I let something loose out into the world that suddenly started causing problems because someone discovered you could stab people with it, I'd be going around making sure all of the copies I gave out it had a knife guard put in place.

To me, there are two aspects:

- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)

- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.

I'm not scared at all and could care less about building the image myself.

I'm also not 'entitled' because i'm doing this for another open source project we are now maintaining.

Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.

There is a difference between having the official Min.IO image with a stamp of approval vs. forked repos with their version of the same image. The only thing fixing this kind of issue is a fingerprint and build caches.

They are removing the official container images because 1. this is the magic source of running your software in helm charts etc. so now you need to act 2. in some companies you are not allowed to use random container images

And you are complelty ignoring my arguments. Its not entitlement if a companies product becomes the industry standard due to Open Source and then doing a rug pull like this.

I think (and I suspect many users would agree) that there is a big difference between "we are removing some unmaintained drivers for a piece of hardware which almost no one is using" and "we are removing a tentpole feature from the 'open-source' version of our application and making it exclusive to the paid edition".

How was the task of building this project easier for them than it would now be for you or me? I feel like you are using the phrase “pulling up the ladder” in a way that doesn’t track with common usage.

Did you read the discussion? The docker steward is proposing making a docker "official" minio image to replace the minio/minio image.

No, it is a defense strategy. For e.g. hobbyists, it's basically irrelevant, and having something on a private LAN is fine. There is almost no chance of an issue. Not everything in the world needs to be maximally secured, and the people who are using those IAM policies are probably not pulling a vanilla image off Dockerhub to run something as fundamental as their storage layer. They probably also have firewalls tightly locking down which machines are able to talk to MinIO on top of token auth.

The cargo-culting around security is so bizarre to me. In a context where e.g. your organization needs to pass audits, it's cheaper/easier to just update stuff and not attempt to analyze everything so you can check the box. For everyone else, most security advisories are just noise that usually aren't relevant to the actual way software is used. Notably, no one in these discussions is even bringing up what the vulnerability is.

Again folks, you don´t "fix" anything by building a docker image. The fix is already in the source, you just need to run one command to build the image. The registry is something you should have in your infrastructure, if you are at least half-way seriously doing anything in the domain of containers and Kubernetes. But if you dont have one, it seems you are running things locally, for your toy project.Well then, just in that case just deploy from your local docker cache. All of this is actually merely a couple of commands in your simplified use-case.

The fix is upstream, they're giving away the patch for free.

Setting up a registry and a pipeline is annoying but it's hardly a life changing event. It's certainly easier than migrating to a competitor.

Oh heh, a trip down the memory lane. I wrote the initial version of that, in an era where AWS docs did not match observed S3 behavior. The only way to make an S3-compatible API was to create a suite of over-the-network tests to run against both AWS S3 and radosgw.

We also had a little grammar-based fuzzer for S3 requests (really, any HTTP), but over the last 10+ years I've lost track of what happened to that code. That found some incompatibilities with allowed character sets etc too.

Minio used to be able to do this, but they dropped this feature - "gateway mode" - several years ago.

> I believe you're forced to have your data backed by a Ceph OSD.

It makes perfect sense as this is a feature of Ceph.

> Whereas Minio can point to an NFS share on a NAS.

Eh, different trade-offs.

Garage worked for most of my use-cases but it lacks, among other endpoints[0], bucket ACLs and bucket replication. Anonymous access is also an open issue[1].

They are also a comparatively young project and while fully OSS do not, afaik, appear to have a solid long term funding source yet. Though that might be an opportunity to support them, if your company is interested in picking them.

[0]: https://garagehq.deuxfleurs.fr/documentation/reference-manua...

[1]: https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/263

There were setup commands I needed to run before the docker image did anything. I’m used to just specifying an access/secret key and having it work.

It was: MinIO (apparently) becomes source-only

Thanks tomhow!

I've spent a lot of time trying to get pytorch working inside docker against cuda. That's a big challenge even just on one architecture. It isn't as simple as you make it to be and they have to determine how they allocate resources so they can pay people. I'm still grateful for this project and would rather they dice focus on functionally than packaging.

Really easy, I made a script to build bitnami images from a command line menu and push it to your dockerhub. It also detects changes in versions and you can rebuild and push again.

https://github.com/tzahifadida/oys-bitnami-builder