Comment by asmor
3 years ago
I think the overarching point is that MinIO doesn't understand their own license. MinIO can't retaliate at will, except by suing. It also shows that - as it has been since the inception of the AGPL - nobody knows what the actual obligations are. MinIO seems to believe that interaction with MinIO, including calling the API, makes your code subject to the AGPL too. They say as much on their compliance page.[1] This is the opposite view of someone like MongoDB, who used to have their software AGPL licensed, but explicitly made their clients permissively licensed, because their expectation from the AGPL was that it is not infectious across process boundaries.
MinIO has taken this to other extremes, including believing that your config file for MinIO is subject to AGPL. Even if you assume that an implicit dependence on an API is making the calling code AGPL, MinIO has the least strong claim for their service being infectious, because their API is mostly a reimplementation of S3.
This is like the "are Java APIs copyrightable" case all over again, except the people who are threatening legal action didn't even invent the API.
[1]: https://min.io/compliance
"When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
I read through this as well & it is a joke. Under their interpretation if I run MinIO in the Linux subsystem that is part of Windows, I'd need to open source that.
Their interpretation is so extreme that using a browser would require me to open source the browser. If I used a shell script to test if the service is running, I'd need to make that open source too.
There is also this: "Passing configuration parameters to a MinIO binary instance constitutes making a modified version, as it does not produce an exact binary copy."
How do they know it doesn't produce an exact binary copy? Maybe my x86 computer is quantum based.
I'm pretty sure if I compiled MinIO with a proprietary Golang implementation, MinIO would want me to open source the compiler.
They also include their trademarked logo in the git repo., then try and tack on a supplemental policy about that later. Which you can't do, because the AGPL grants you a license to the logo.
In MinIO's original accusations, they have a line: "MinIO recommends uninstalling $Company entirely from your infrastructure."
When they wrote it, they set $Company to "Weka". Given the overall interaction and beyond-curious legal interpretations they are making and publishing, I read it with $Company set to "MinIO".
That was exactly my thought as well. If I were CTO I would require all teams to either use the Apache 2 version or discontinue use.
Also what I find interesting is they accepted community contributions without a licensing agreement. So they in fact can't switch to AGPL without written consent from all those contributors.
It might be the actual intent of the AGPL, which is why I completely stopped using it despite loving the spirit of how it is used by MongoDB.
The FSF has an example of how to comply with the AGPL (specifically the "prominent notice") when using an AGPL licensed proxy that is pretty illuminating. They recommend you just show a landing page with a big reference to the AGPL on the first request. I'd like to see them do that with an API Gateway.