Having read the minIO allegations last week, I was fully expecting to read some weasel-y/half refutation here.
Instead, this is a strong refutation and, if everything WEKA says here is true, it is much less certain that they've done anything wrong and it seems like it's on minIO to prove that they've used minIO software subject to AGPL rather than only to Apache.
If you read the minio blog, they give very detailed instructions on how to check that they are using the software. It shouldn’t be super difficult to figure out if any of the software being distributed today is post license switch.
So what we have here is a very detailed description of what they are claiming is a violation, then a refutation that is very strong, but also doesn’t actually address some of the claims in the other blog, as far as I can tell.
There is a blog from minio that says they switched to AGPLv3 in 2021. It’s unclear to me from the screenshots whether the software is later than that or not.
I hope someone takes the time to do an independent analysis, and a more neutral take.
Note that Weka redacted the language from the Apache license that says “subject to the terms and conditions,” which (not a lawyer) seems to allow a copyright holder to deny permission if they’re not meeting the conditions of the license. Whether they are or not is another question.
> they give very detailed instructions on how to check that they are using the software
It's not that detailed; it just says "there is a minio binary, and that's our minio". Okay, but what version is that? This is the crucial part, because Apache vs AGPL license makes a world of difference.
The Apache attribution requirement seems satisfied; perhaps not as prominently as minio would like, but there is no "prominence requirement". It fails to demonstrate any AGPL code is used, although according to some other comments the monio people have a unique and interesting interpretation of relicensing where they think they can retroactively relicense Apache code to AGPL. The claim that backporting any security fixes would trigger the AGPL is also suspect; typically many security fixes are simple in terms of code changed, and tend to be fairly easy to re-implement independently once you know the description of the problem. Either way, "it's likely that [..]" doesn't really demonstrate much of anything and is certainly not "very detailed".
In short, the minio post is vague and full of assumptions; even without this rebuttal I wouldn't put too much stock in it as it seems borderline FUD.
Not a lawyer and this is an area where I genuinely just don't know, so I'd love to find a place that's explored this and could read more. But WEKA's statement #2 about the irrevocability struck me as odd in its expansiveness. My understand was that "irrevocable" essentially is about arbitrariness and time, that so long as the licensee follows the governing license as written then it continues indefinitely and the licensor may not ever simply decide to revoke it. But if the license terms were broken, then could the copyright holder then say the contract was broken? I didn't think "irrevocable" meant "every other aspect of this contract doesn't matter beyond damages because even if you blow off them all it can't be revoked anyway". Like if I signed a copyright license saying "in exchange for $50/year paid on Jan 1 each year for a period of 10 years I grant a perpetual, worldwide, non-exclusive, irrevocable copyright license to said work" and then they just stop paying after the first year does that mean the license is still irrevocable, but I can sue them for damages? Or is the contract done due to non-performance? Or would that depend on other clauses? What if the value exchange is more of a quid pro quo thing, does that became a rare instance where suit for specific performance would be an option, or would the court translate it to money?
Just really curious, I've seen that term language lots and never really gave it much thought until now. Surely this must have been fought over before. But I'd have expected a lawyer drafted response by WEKA to cite case law and any governing state/national law. Just saying "see the contract says irrevocable so that's that duh!" feels kinda odd.
--
Edit: Also to be clear, this is all purely dependent on any license terms actually having been broken. If none were then yes that'd be that. It just seemed like WEKA was making an argument that MinIO couldn't revoke no matter what.
I think the overarching point is that MinIO doesn't understand their own license. MinIO can't retaliate at will, except by suing. It also shows that - as it has been since the inception of the AGPL - nobody knows what the actual obligations are. MinIO seems to believe that interaction with MinIO, including calling the API, makes your code subject to the AGPL too. They say as much on their compliance page.[1] This is the opposite view of someone like MongoDB, who used to have their software AGPL licensed, but explicitly made their clients permissively licensed, because their expectation from the AGPL was that it is not infectious across process boundaries.
MinIO has taken this to other extremes, including believing that your config file for MinIO is subject to AGPL. Even if you assume that an implicit dependence on an API is making the calling code AGPL, MinIO has the least strong claim for their service being infectious, because their API is mostly a reimplementation of S3.
This is like the "are Java APIs copyrightable" case all over again, except the people who are threatening legal action didn't even invent the API.
"When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
I would interpret the Apache Licenses terms on breaking the license to apply to patents and there it is pretty clear that the party who starts litigation loses their own license. I don't think any open source license writer would intentionally want the situation where a middle-man causes a license to never be valid, and in this case it makes no sense as attribution is meant to be optional information.
It does appear that their minio instance is the apache version. From the minio allegations the ui in the screenshots matches the pre-AGPL instance that I've kept around which was really just a simple bucket/files manager. I think all post-AGPL versions should be using the new ui announced here[1] in April 2021. The AGPL change was announced 12 May 2021[2]. The newer date in the out of date message could be due to them re-compiling the Apache version themselves.
However looking at the warp version in the screenshot, version 3.40 is licensed under AGPL.
Didn't know that MinIO used to be Apache licensed. This [0] is the commit that changed it.
Since the S3 API largely remained the same over the last two years, it might be an option to use the Apache version, if AGPL is not possible. Of course, that would lack security fixes that were done in the meantime.
There is also a discussion [1] about that license change.
If you are in the business of making money like minio, you may as well just use a commercial license. No business will touch AGPL, they will just opt to pay for a commercial license.
MinIO had a large investment round at unicorn valuation at the end of last year. Watch them desparately move up market (or more like flailing around) to recoup that investment.
Meanwhile they cannot get their software to work on ext4 and it is apparently ext4s fault[0].
You're misinterpreting the bug, the software works but could lose data. However, the person who wrote the update about O_DIRECT and ext4 in production environments is just wrong.
I recall minio previously playing fast and loose with the terms of their prized infectious foss license, a github issue perhaps? I recall they believed that interfacing with their AGPL minio through a standard s3 interface with no source changes mandated open sourcing of the client application.
They have a unique interpretation of AGPL, they also seem to think they can retroactively change the license from Apache 2 to AGPL on their old code. So even if WEKA forked the older version of MinIO when it still was Apache they would still violate the license. Which means anyone using MinIO without a commercial license needs to open source their entire application regardless if MinIO itself was modified or not. Well according to MinIO anyway.
This eventually surely lead to a lawsuit where this is tested, but in the meantime I would avoid MinIO at all cost. The commercial license to self host it is minimum $1000 per month for 100TB.
> If you distribute, host or create derivative works of the MinIO software over the network, the GNU AGPL v3 license requires that you also distribute the complete, corresponding source code of the combined work under the same GNU AGPL v3 license. This requirement applies whether or not you modified MinIO.
That sounds dangerous to free software/open source as a whole. Firstly, it's obviously not the status quo of how most people operate. Secondly, if they manage to win that claim in court it could encourage others to do the same.
Basically they claim that even calling it from proprietary stack over s3 api triggers apgl obligations which most lawyers don’t believe is true but never been tested in court afaik. I wouldn’t recommend touching it for anything unless you want to play those games (or unless you want to pay for enterprise ofc =)) It’s fake open source.
There needs to be a phrase like "play open source games, win open source prizes" for companies that get all upset when someone else monetizes their product.
I think it depends a lot on whether they’re upset because they failed to license the software in a way that would prevent behavior they don’t like, or because someone doesn’t seem to be complying with the license in the first place.
If you chose a permissive license and then are shocked when people actually take advantage of that, you kind of deserve what you get. If you chose a reciprocal license and someone just ignores it, then I think you still have a license to complain. Pun kind of intended.
I personally don't care for any open source sob stories by companies that use open source as a growth strategy. When you open source something, you will need pay the legal costs to enforce your license, the license doesn't enforce itself. It will most likely be a long drawn out process and will be a drain on your resources, especially technical ones. Don't complain when this happens, nobody forced you to open source your stuff to begin with.
I just want to know if MinIO contact Weka before this fall out or not. If not, then MinIO comes off as a bunch of psychos. If so, then grab your popcorn.
> Also NOTE: I need to remind you are under AGPLv3 violation here if you are using MinIO with proprietary purposes. Please consult a software lawyer for more information.
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
All that AGPL actually requires is that you share the source of your server, if you modify it.
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
So they would consider my Arq backups to MinIO a license violation? What if I access the GUI from a Windows PC? What about a Linux PC with a proprietary GPU driver?
> At the end of the business day on Friday, March 24th – without warning, provocation, or even providing WEKA with an opportunity to review and respond to their claims – MinIO issued a public statement that made several false and baseless accusations against WEKA. It was the first time MinIO had made us aware of their concerns.
From my perspective, only lawyers will get the benefits.
Neither Weka nor MinIO and definitely not the community.
The way MinIO accusation was worded, felt like this a reaction to someone saying "Boss, they've ripped us off and are earning from it and not attributing us, here's the proof, revoke their licence."
And the way this response is worded, feels like, "Check everything if we're using their stuff, get a lawyer to draft a response, and tell them, this is not the way to handle it."
So they are using an outdated version because they wanted to stay with permissive licensing.. Kinda fun to see the reverse of what usually happens to a community when a company-led project goes closed source. Definitely got no empathy for weka in this case tho. Also kinda fun that minio noticed they used an old version but forgot that they used permissive licensing at that time.
My experience is that it's often hard for companies (and people) to remember facts that are inconvenient for them.
If WEKA is using Apache-licensed software in compliance with the Apache license (as they claim) and is being accused of doing something else by a company with, let's just say, non-mainstream interpretations of license terms, I do have empathy and sympathy for them. (They claim that's what's happening. MinIO claims something else. Several of these claims are pretty much testable facts and I'm sure someone with time and motivation will test them.)
Having read the minIO allegations last week, I was fully expecting to read some weasel-y/half refutation here.
Instead, this is a strong refutation and, if everything WEKA says here is true, it is much less certain that they've done anything wrong and it seems like it's on minIO to prove that they've used minIO software subject to AGPL rather than only to Apache.
Previous HN discussion: https://news.ycombinator.com/item?id=35299665
If you read the minio blog, they give very detailed instructions on how to check that they are using the software. It shouldn’t be super difficult to figure out if any of the software being distributed today is post license switch.
So what we have here is a very detailed description of what they are claiming is a violation, then a refutation that is very strong, but also doesn’t actually address some of the claims in the other blog, as far as I can tell.
There is a blog from minio that says they switched to AGPLv3 in 2021. It’s unclear to me from the screenshots whether the software is later than that or not.
I hope someone takes the time to do an independent analysis, and a more neutral take.
Note that Weka redacted the language from the Apache license that says “subject to the terms and conditions,” which (not a lawyer) seems to allow a copyright holder to deny permission if they’re not meeting the conditions of the license. Whether they are or not is another question.
> they give very detailed instructions on how to check that they are using the software
It's not that detailed; it just says "there is a minio binary, and that's our minio". Okay, but what version is that? This is the crucial part, because Apache vs AGPL license makes a world of difference.
The Apache attribution requirement seems satisfied; perhaps not as prominently as minio would like, but there is no "prominence requirement". It fails to demonstrate any AGPL code is used, although according to some other comments the monio people have a unique and interesting interpretation of relicensing where they think they can retroactively relicense Apache code to AGPL. The claim that backporting any security fixes would trigger the AGPL is also suspect; typically many security fixes are simple in terms of code changed, and tend to be fairly easy to re-implement independently once you know the description of the problem. Either way, "it's likely that [..]" doesn't really demonstrate much of anything and is certainly not "very detailed".
In short, the minio post is vague and full of assumptions; even without this rebuttal I wouldn't put too much stock in it as it seems borderline FUD.
Not a lawyer and this is an area where I genuinely just don't know, so I'd love to find a place that's explored this and could read more. But WEKA's statement #2 about the irrevocability struck me as odd in its expansiveness. My understand was that "irrevocable" essentially is about arbitrariness and time, that so long as the licensee follows the governing license as written then it continues indefinitely and the licensor may not ever simply decide to revoke it. But if the license terms were broken, then could the copyright holder then say the contract was broken? I didn't think "irrevocable" meant "every other aspect of this contract doesn't matter beyond damages because even if you blow off them all it can't be revoked anyway". Like if I signed a copyright license saying "in exchange for $50/year paid on Jan 1 each year for a period of 10 years I grant a perpetual, worldwide, non-exclusive, irrevocable copyright license to said work" and then they just stop paying after the first year does that mean the license is still irrevocable, but I can sue them for damages? Or is the contract done due to non-performance? Or would that depend on other clauses? What if the value exchange is more of a quid pro quo thing, does that became a rare instance where suit for specific performance would be an option, or would the court translate it to money?
Just really curious, I've seen that term language lots and never really gave it much thought until now. Surely this must have been fought over before. But I'd have expected a lawyer drafted response by WEKA to cite case law and any governing state/national law. Just saying "see the contract says irrevocable so that's that duh!" feels kinda odd.
--
Edit: Also to be clear, this is all purely dependent on any license terms actually having been broken. If none were then yes that'd be that. It just seemed like WEKA was making an argument that MinIO couldn't revoke no matter what.
I think the overarching point is that MinIO doesn't understand their own license. MinIO can't retaliate at will, except by suing. It also shows that - as it has been since the inception of the AGPL - nobody knows what the actual obligations are. MinIO seems to believe that interaction with MinIO, including calling the API, makes your code subject to the AGPL too. They say as much on their compliance page.[1] This is the opposite view of someone like MongoDB, who used to have their software AGPL licensed, but explicitly made their clients permissively licensed, because their expectation from the AGPL was that it is not infectious across process boundaries.
MinIO has taken this to other extremes, including believing that your config file for MinIO is subject to AGPL. Even if you assume that an implicit dependence on an API is making the calling code AGPL, MinIO has the least strong claim for their service being infectious, because their API is mostly a reimplementation of S3.
This is like the "are Java APIs copyrightable" case all over again, except the people who are threatening legal action didn't even invent the API.
[1]: https://min.io/compliance
"When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
4 replies →
I would interpret the Apache Licenses terms on breaking the license to apply to patents and there it is pretty clear that the party who starts litigation loses their own license. I don't think any open source license writer would intentionally want the situation where a middle-man causes a license to never be valid, and in this case it makes no sense as attribution is meant to be optional information.
It does appear that their minio instance is the apache version. From the minio allegations the ui in the screenshots matches the pre-AGPL instance that I've kept around which was really just a simple bucket/files manager. I think all post-AGPL versions should be using the new ui announced here[1] in April 2021. The AGPL change was announced 12 May 2021[2]. The newer date in the out of date message could be due to them re-compiling the Apache version themselves.
However looking at the warp version in the screenshot, version 3.40 is licensed under AGPL.
[1] https://blog.min.io/new-minio-console/
[2] https://blog.min.io/from-open-source-to-free-and-open-source...
Yeah, I noticed that about warp too.
Didn't know that MinIO used to be Apache licensed. This [0] is the commit that changed it.
Since the S3 API largely remained the same over the last two years, it might be an option to use the Apache version, if AGPL is not possible. Of course, that would lack security fixes that were done in the meantime.
There is also a discussion [1] about that license change.
[0]: https://github.com/minio/minio/commit/069432566fcfac1f105367...
[1]: https://github.com/minio/minio/issues/12143
I hope more people start using AGPL from the get-go for their projects.
Companies are using AGPL not to benefit users or the community but to extort users and competitors into paying them. It's becoming fake open source.
7 replies →
If you are in the business of making money like minio, you may as well just use a commercial license. No business will touch AGPL, they will just opt to pay for a commercial license.
8 replies →
MinIO had a large investment round at unicorn valuation at the end of last year. Watch them desparately move up market (or more like flailing around) to recoup that investment.
Meanwhile they cannot get their software to work on ext4 and it is apparently ext4s fault[0].
[0] https://github.com/minio/minio/issues/16602#issuecomment-142...
You're misinterpreting the bug, the software works but could lose data. However, the person who wrote the update about O_DIRECT and ext4 in production environments is just wrong.
If it loses data, does it work?
1 reply →
I recall minio previously playing fast and loose with the terms of their prized infectious foss license, a github issue perhaps? I recall they believed that interfacing with their AGPL minio through a standard s3 interface with no source changes mandated open sourcing of the client application.
They have a unique interpretation of AGPL, they also seem to think they can retroactively change the license from Apache 2 to AGPL on their old code. So even if WEKA forked the older version of MinIO when it still was Apache they would still violate the license. Which means anyone using MinIO without a commercial license needs to open source their entire application regardless if MinIO itself was modified or not. Well according to MinIO anyway.
This eventually surely lead to a lawsuit where this is tested, but in the meantime I would avoid MinIO at all cost. The commercial license to self host it is minimum $1000 per month for 100TB.
> If you distribute, host or create derivative works of the MinIO software over the network, the GNU AGPL v3 license requires that you also distribute the complete, corresponding source code of the combined work under the same GNU AGPL v3 license. This requirement applies whether or not you modified MinIO.
https://min.io/pricing
That sounds dangerous to free software/open source as a whole. Firstly, it's obviously not the status quo of how most people operate. Secondly, if they manage to win that claim in court it could encourage others to do the same.
2 replies →
Yup
https://github.com/minio/minio/discussions/13571#discussionc...
https://github.com/minio/minio/issues/13308#issuecomment-929...
Maybe these?
https://github.com/minio/minio/discussions/12895
https://min.io/compliance
Trying to read and understand.
Basically they claim that even calling it from proprietary stack over s3 api triggers apgl obligations which most lawyers don’t believe is true but never been tested in court afaik. I wouldn’t recommend touching it for anything unless you want to play those games (or unless you want to pay for enterprise ofc =)) It’s fake open source.
Interesting - is this a name collision with Weka (https://www.cs.waikato.ac.nz/ml/weka/) or a commercialization of the project? I assume the former.
It is a name collision.
There needs to be a phrase like "play open source games, win open source prizes" for companies that get all upset when someone else monetizes their product.
I think it depends a lot on whether they’re upset because they failed to license the software in a way that would prevent behavior they don’t like, or because someone doesn’t seem to be complying with the license in the first place.
If you chose a permissive license and then are shocked when people actually take advantage of that, you kind of deserve what you get. If you chose a reciprocal license and someone just ignores it, then I think you still have a license to complain. Pun kind of intended.
I personally don't care for any open source sob stories by companies that use open source as a growth strategy. When you open source something, you will need pay the legal costs to enforce your license, the license doesn't enforce itself. It will most likely be a long drawn out process and will be a drain on your resources, especially technical ones. Don't complain when this happens, nobody forced you to open source your stuff to begin with.
2 replies →
I just want to know if MinIO contact Weka before this fall out or not. If not, then MinIO comes off as a bunch of psychos. If so, then grab your popcorn.
It seems they might be psychos, they are misrepresenting what AGPL allows all over their issue tracker, for example this: https://github.com/minio/minio/issues/12829#issuecomment-889...
> Also NOTE: I need to remind you are under AGPLv3 violation here if you are using MinIO with proprietary purposes. Please consult a software lawyer for more information.
Or this: https://github.com/minio/minio/issues/13308#issuecomment-929...
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
All that AGPL actually requires is that you share the source of your server, if you modify it.
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
So they would consider my Arq backups to MinIO a license violation? What if I access the GUI from a Windows PC? What about a Linux PC with a proprietary GPU driver?
1 reply →
lol @ that second link. What a bunch of crooks.
According to the article, they did not:
> At the end of the business day on Friday, March 24th – without warning, provocation, or even providing WEKA with an opportunity to review and respond to their claims – MinIO issued a public statement that made several false and baseless accusations against WEKA. It was the first time MinIO had made us aware of their concerns.
What's a good simple open source S3-style object store to use? Does one even exist? Do we need to start a project to (re-)write one in Rust?
- MinIO: more trouble than it's worth, as demonstrated here
- Radosgw of Ceph: not really suitable for a single server install
- Garage (https://garagehq.deuxfleurs.fr/): Their writing about the distributed design didn't convince me in 2022.
- https://lakefs.io/ Haven't studied
From my perspective, only lawyers will get the benefits.
Neither Weka nor MinIO and definitely not the community.
The way MinIO accusation was worded, felt like this a reaction to someone saying "Boss, they've ripped us off and are earning from it and not attributing us, here's the proof, revoke their licence."
And the way this response is worded, feels like, "Check everything if we're using their stuff, get a lawyer to draft a response, and tell them, this is not the way to handle it."
I hope both parties resolves it soon.
So they are using an outdated version because they wanted to stay with permissive licensing.. Kinda fun to see the reverse of what usually happens to a community when a company-led project goes closed source. Definitely got no empathy for weka in this case tho. Also kinda fun that minio noticed they used an old version but forgot that they used permissive licensing at that time.
My experience is that it's often hard for companies (and people) to remember facts that are inconvenient for them.
If WEKA is using Apache-licensed software in compliance with the Apache license (as they claim) and is being accused of doing something else by a company with, let's just say, non-mainstream interpretations of license terms, I do have empathy and sympathy for them. (They claim that's what's happening. MinIO claims something else. Several of these claims are pretty much testable facts and I'm sure someone with time and motivation will test them.)
Relevant:
https://news.ycombinator.com/item?id=35329882