They abandoned documentation (edit: for the open source codebase) a couple of weeks ago - that seems more significant.
From their Slack on Oct 10:
"The documentation sites at docs.min.io/community have been pulled of this morning and will redirect to the equivalent AIStor documentation where possible". [emphasis mine]
The minio/docs repository hasn't been updated in 2 weeks now, and the implication is that isn't going to be.
Even when I set up a minio cluster this February, it was both impressively easy and hard in a few small aspects. The most crucial installation tips - around 100Gb networking, Linux kernel tunables and fault-finding - were hung off comments on their github, talking about files that were deleted from the repository years ago.
I've built a cluster for a client that's being expanded to ≈100PB this year. The price of support comes in at at slightly less than the equivalent amount of S3 storage (not including the actual hosting costs!). The value of it just isn't that high to my client - so I guess we're just coasting on what we can get now, and will have to see what real community might form around the source.
I'm not a free software die-hard so I'm grateful for the work minio have put into the world, and the business it's enabling. But it seems super-clear they're stopping those contributions, and I'd bet the final open source release will happen in the next year.
If anyone else is hosting with minio & can't afford the support either :) please drop me a line and maybe we can get something going.
>The price of support comes in at at slightly less than the equivalent amount of S3 storage
That's absurd. I would be running to NetApp and Dell for competitive object storage quotes then. Haven't done pricing on either one recently but at least a few years ago they were roughly half the price of S3 all in (including hosting costs).
During an upgrade, I discovered that the console had been removed without any prior notice. MinIO really pissed me off.
Over a month ago, I started looking for a MinIO alternative and found RustFS. I've been testing RustFS for over a month now, and the product continues to improve, with the community fixing bugs very quickly.
I hope YC will invest in this company.
That does sound much worse than hiding the pre-built images from users. I hope that documentation is archived. There's probably some benefit in documenting those installation tips elsewhere besides Github comments.
Yeah, running binaries of varying qualities taken from all sorts of places is a bad idea anyways. Distro packages are generally more consistent or even running "go build" yourself is probably better in this case.
But pulling existing documentation is a whole different matter. One can argue that they don't have an obligation to maintain the docs, though it would effectively make continued use of newer versions untenable. But pulling existing ones is an unnecessary rug pull when it doesn't cost anything to keep it online. It's a big middle finger to open source.
Unrelated but i find it funny that the Microsoft logo on the Install on Windows section is upside down on the redirected link docs.min.io/enterprise/aistor-object-store/
With 100PB clusters being built and not a cent going to them, you can see why minio has gone this route. I wonder if they will be "valkeyed"? Not by AWS presumably.
That's the open source model. It's entirely predictable that if you provide software at no cost that is capable of running 100PB clusters, that some people will and you won't get paid, because those are the terms that you set.
It's fine to change your mind, but doing it in this way doesn't build goodwill. It would be better if they made an announcement that they would stop creating/distributing images on some future date; I'm sure that would also be poorly received, but it would show organizational capacity for continuity.
If I'm considering paying them for support, especially at the prices quoted elsewhere in the thread, I need to know they won't drop support for my wacky system on a whim. (If my system wasn't wacky, I probably wouldn't need paid support)
That's a strange mindset, IMO. I'd be pissed if I had to pay $0.10 every time I turned a rachet, and it's weird to expect companies to have usage-based monetization on the tools they've made for others.
If they charged a cent, would people adopt it in the first place?
They still got paid for those free users. Via investments. Cash is cash. I don’t KNOW what the RIGHT business model is, I don’t run MinIO, and neither do you.
Nah, it's fine. It's Open Source, you can document it yourself if you need to! But there is no obligation from the MinIO authors to provide it, you're not entitled to it.
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
I don’t know much about the MinIO project specifically, but to me it seems to be a common misconception that just because a maintainer provides their software project under a permissive license (such as AGPL, MIT, etc.) would necessarily imply that they do this for particular ethical reasons, like caring about “the community” (whoever that is) or contributing something for the greater good.
In the end, it’s just software made available under specific terms. While I understand the inconvenience for users if things change, it feels like part of the disappointment might stem from one-sided expectations.
Recently switched from bitnami to minio here, with plenty heads up & they scheduled brown outs etc, along with legacy images to fallback on for users who don't get informed by anything until image gone
This is also becoming a trend with open source projects turning into source available projects with obscure and hidden ways to deploy them to prevent average users from running the software in their homelabs etc.
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
MinIO is not actually open source, their source code is just public.
The company I work at spun up a MinIO instance, and we got hounded by MinIO lawyers claiming we had to pay because "hosting MinIO alters the source because of injecting configuration" and therefore violates their open source license.
There have been multiple hacker news threads about this:
> It's an Open Source project - I don't understand what people are complaining about
MinIO is a commercial company that provides some open source components and some paid components and services.
This meme where nobody is allowed to be unhappy with anything when the phrase “open source” is involved is getting old. In the span of two paragraphs your comment discovered why this is frustrating people: They have been providing certain things in the open source leg of their operation and then yanking them and stuffing them under a very expensive commercial leg later, after people have begun using them.
Being upset about that is reasonable and understandable, even if it triggers some of the people who believe “open source” means nobody is allowed to be unhappy with anything, ever.
Company makes Open Source. Open Source community enbraces it, helps it to become the defacto standard.
Company does a rug pull because they are unable to make a proper business out of it and leaves the community hanging dry.
Removing the container image build step, which was ALREADY THERE, and doing this internaly only, is the gatekeeping they are now doing.
Its like 0 effort to provide these images.
And yes pricing pages like this is always the same: You don't get any deal below 1k / month minimum because they have some pre-sales people and a payment pipeline which doesn't work for anything small or startup like.
Somehow i don't get MinIO anyway. They got over 100 Million of investment for an S3 system. Its basically a done product. Its also a typical 'invest once build it once, keep it running' thing which can easily be replicated with a little bit of investment from other companies.
I have no clue how they ever got valued over 100 Million.
I love it when entitled folks both expect to use someone else's work AND immediately downplay someone else's effort (no, I am not affiliated with Min.IO, just saying if you are scared of building a docker image yourself, maybe you should not downplay someone else's effort).
It's legit. Just gives people the impression that it is sabotaging the community. I understand why they do it (the more inconvenience the more likely people are gonna pay), but wish companies are more thoughtful on open sourcing code and how to differentiate enterprise offerings at the beginning, rather than playing tricks after gaining tractions.
They are entitled to stop building docker images. Their users are entitled to get salty and go find alternative products.
If that is Minio’s expectation, then all is good, but it seems kinda counterproductive? I never liked minio, but I certainly wouldn’t use it after seeing them remove features.
They removed the admin UI from the web frontend in the f/oss version some months ago, too. I updated for security reasons and they'd stripped the functionality out. It's a jerk move.
>I certainly wouldn’t use it after seeing them remove features.
All sorts of projects remove features all the time though, even the linux kernel drops support for hardware that may or may not be in use somewhere
>Their users are entitled to get salty and go find alternative products.
People are entitled to feeling things of course, others will only point out that it may not be justified and that the user is liable to get hurt again if they never adjust their expectations to meet reality
> I don't understand what people are complaining about. Noone is entitled to receive free Docker images.
Every time I read something like this, I recall this post from Rich Hickey[1][2] on why no one is entitled to benefit from another human being's goodwill and time.
From the post:
> The only people entitled to say how open source 'ought' to work are people who run projects, and the scope of their entitlement extends only to their own projects.
> Just because someone open sources something does not imply they owe the world a change in their status, focus and effort, e.g. from inventor to community manager.
But not everything can be "fair game" when providing a service for free. Surely it wouldn't have been OK if they suddenly included a bitcoin miner or extracted credentials. They offered a free service, people trusted it, depended on it. Now, in my view, they have some responsibilty to their users.
Giving a notice in advance and releasing a final image that patched the CVE would've been reasonably responsible.
Certainly, there are some pretty entitled people on that github issue.
But this attitude is too far the other way. Fair enough, you are under no obligation to continue providing a free service. But isn't it fair to give a bit of notice before withdrawing it? Especially after doing it so consistently for so long. Not legally required, sure, but polite.
They haven't even given notice after withdrawing it! They just waited for someone to realise and ask about it.
Bear in mind that many paid for services, on a subscription basis, technically allow the seller to change (i.e. reduce!) the service at any time. If they act in bad faith to their free tier, what should you expect about their paid tiers? You could argue you also shouldn't be using paid services that could behave that way but I think you'd struggle not to.
I agree with what you said, but I think “courteous” might be a better word than “fair”. Whatever word you use, I take it as a sign that unpaid use isn’t as welcome as I thought.
Years ago I worked in customer service. There was this guy who came in to to motivate us. He talked about the work of someone named Bob Farrell who had a chain of ice cream shops and sold burgers. He had received a letter from a disappointed customer. The customer had been given the extra pickles on his burgers for years and now one of Bob's employees told him he now had to pay extra for it. The customer said he'd never come back. Bob could have said "what an entitled idiot" and kept charging for pickles but he took that letter as a calling for how you should treat customers - just give 'em the pickle. It costs you next to nothing to give the customer the pickle and it makes them happy.
Minio doesn't have to give non-paying users anything, but the story still applies. Give them the pickle. It costs nothing in the grand scheme of things, and if it does, ask for donations like any open source project would do to cover your costs. But as others have pointed out, Minio is not an open source company, they are a commercial company that has source available.
> Minio doesn't have to give non-paying users anything, but the story still applies.
How on earth does it apply when your complete example story relies on the satisfaction of the paying customers. If you're not paying, you're not a customer - you're a user.
> I don't understand what people are complaining about
Talk is cheap. People will complain about something they’re not legally entitled to because there’s no downside, only an upside if the company backtracks.
In the background they are probably creating tickets to mitigate the risk if the complaining doesn’t work. It’s perfectly rational.
I don’t understand the people who don’t understand this.
1. The MinIO image on Docker Hub has more than a billion downloads [^0]. With those download counts, people have almost certainly written scripts that rely on this image existing (including their own Dockerfile! [^1]). Them leaving these images around is just asking for security breaches later down the line.
1b. While, yes, no-one's entitled to freely-available container images, it cost them almost nothing to maintain their existing toolchain for this. Them deciding to pull the plug is purely and entirely a money grab (and a dumb one, if you ask me; look at how the community responded with OpenTofu when Terraform when BUSL).
2. Fortunately, MinIO is a Golang app and can be built with a simple "go install" (though the build instructions in their docs don't align with the build recipe in their Makefile [^2]). However, they could pull a Tesla and make the source that they publish differ from the source that their binaries are built from.
3. They gave NO notice. That's the slimiest part of all of this. Tens of thousands of Kubernetes clusters, and handfuls of enterprise products, run or package MinIO that are now using images that will no longer be updated. All of these people will need to completely change their toolchains to account for that, and soon. That's just not a kind thing to do.
"It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. "
While this is true, in all of these discussions, somewhere the notion of responsibility often gets lost.
If you publish a project, encourage people to use it, promote it heavily, etc, then get lots of users, and then decide to kill it, while it's true you legally owe nobody anything, it's sort of crazy to claim people are acting entitled when they complain.
After all, you encouraged people to use it and promoted it!
Again, do you legally owe them anything? Nope.
I am much more empathetic towards those who get surprised by the growth of their projects, or otherwise didn't try to make their project popular and decide to quit when it becomes too large too quickly and becomes a burden.
In general, if you try to encourage lots of people to use or do something and succeed at that, you end up with various forms of social responsibility to those people. That's true in most things, not just open source.
Open source does not get a pass at this social reality simply because, as a legal reality, those users are not owed anything.
You don't understand, or don't agree with the complaints. Those are two different things, and I suspect you understand why people are complaining and instead disagree with the complaints.
People are complaining because something was available, they adopted it, then it was discontinued. Apparently with little warning, and after they'd been encouraged to adopt it by the provider of the images.
As it happens, I agree with the general idea that if folks are not paying for the convenience of builds, then it's on them to work from source. However, it's better IMO if a vendor or project start from that position rather than what's seen as a rug-pull.
Of course, it's part of the playbook: when something is new and not widely adopted, the vendor goes to great effort to encourage adoption -- then the vendor starts looking at the paid vs. free usage and sees "huh, we have a 10000:1 ratio of paid to free users, including ten megacorps that show up grabbing binaries every 10 minutes for their CI/CD farm, and asking questions in our forums, but aren't paying a penny toward development and our investors are getting pissy."
Exactly. looked up their github to see what the big issue was about and they still provide the full source + the Dockerfile. It's not a huge issue that it is being made into. Does no-one know how to build a Docker image any more?
Or one can just use old images. Which is what many people started doing after their other fuckup - removing perfectly working web UI from free version.
They just can't stop shooting themselves in the foot that didn't even heal from last time.
The last tag with a working web UI is RELEASE.2025-04-22T22-12-26Z btw.
Keep in mind this is the same project that removed all useful functionality from the included web UI in the community edition with the excuse that it was too much effort to maintain.
This is another case of VC-funded companies pulling up the ladder behind themselves.
Is it an excuse? Maintaining code costs money, and the previous versions are provided under the license, and you're free to modify it, pull selective patches and maintain them yourself. While It'd be convenient if the license was a promise to develop and maintain features for free in perpetuity, it just isn't.
I run into this in non-company backed open source projects all the time too. Some maintainer gets burned out or non-interested and all they're rewarded is people with pitchforks because they thought there were some sort of obligations to provide free updates and suppport
It is sort of an excuse. I don't use MinIO precisely because of this kind of behaviour - if I cannot easily develop, configure and test our applications, I'm not adopting it commercially, specially when there are a ton of options to choose from. In the end, this hurts the MinIO's enterprise offering. Having a robust, easy to deploy community edition, with predictable features, is a great way of allowing integrators to develop and test using your product, and to help the product to gain traction.
Conversely, if instead of making your users happy to pay you, you've made them happy to use your stuff for free, you own the consequences when you stop giving that stuff away.
Welcome to HN BTW, I see you were inspired to sign up and defend the project owner.
The ladder is still there! See that pile of wood there? That's where we put the rungs. And if dig in that hole over there you might even find the extension we removed last week...
I'll let docker's security team know that an insecure, obsolete docker image is being served and the maintainers have officially acknowledged they will no longer support it.
Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
there is a major difference between having an old image available and having it tagged as latest with no updates beeing available on a channel that before that published all updates with nearly no time delay
So that's not the same thing. Docker "official images" are a category of curated docker images. Minio is not one of them. The official curated images are here: https://hub.docker.com/u/library
The minio image is basically a community one that anyone could have created, but still shows in overall docker hub. It's created by minio themselves. I'm kind of surprised they haven't removed it, but with over a billion downloads they are easily in the top ten of whatever category they fall under creating substantial free advertisement.
> Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
Why is that the best? MinIO is not the type of thing that people ought to be directly making available on the Internet anyway, so CVEs are mostly irrelevant unless you are an organization that has to keep on top of them, in which case you certainly have a process in place to do so already.
People straight pulling an image off Dockerhub (so not a particularly sophisticated use-case) to run seem like they'd be the least likely to be impacted by a CVE like this. The impact is apparently "[it] allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope". Are people pulling from Dockerhub even setting up anything but the absolute most basic (Allow All) ACL?
Regrettably Docker has let me know they are uninterested in taking any action.
"Hello,
This does not qualify as an infringement to our Terms of Use policy. Deprecating such images and repo(s) is the responsibility of the owner and we recommend you reach out to them.
Docker advises its users to opt into using images under our official programs and offerings such as Docker Official Images and Docker Hardened Images.
Thank you,
Security@Docker"
In their ToU under section 6.6, they outline how they may scan images for vulnerabilities and request the owners of said packages fix it, or simply remove it from their site. They clearly do not do this though even when notified of the high criticality vulnerability.
Unfortunately I don't think they're going to get involved there. There are already multiple "official" images on Docker Hub that are unmaintained and have plenty of CVEs (e.g. Centos https://hub.docker.com/_/centos/tags)
I think the most they'd do is add the DEPRECATED note to the Docker hub page as they have done for things like Centos
Imagine the absolute chaos if docker would do that, pull vulnerable images offline. Not a single company would be able to build their software anymore.
Actually, Docker did something like that, where they limited the amount of docker images they would host for you for free to a reasonable number. The result was pretty similar to this current outcry: https://news.ycombinator.com/item?id=24143588
Yeah. They also created a open source test suite for S3 clones.
This is a set of unofficial Amazon AWS S3 compatibility tests, that can be useful to people implementing software that exposes an S3-like API. The tests use the Boto2 and Boto3 libraries.
Can vouch for it as an adequate self-hostable option. It has some missing features, compared to Minio, and is less compatible but works for most applications.
The title of the HN submission might look a bit misleading. It's easy to misinterpret it and think MinIO stops being open source (which would be a bigger deal IMHO).
I think this would be better: "MinIO stops distributing free Docker images"
If anyone is wondering, the Dockerfile for this repo (thanks for sharing!) basically just copies the binary in, it is a 19 line dockerfile.
I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself.
>I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself
I don't. It's automated, it needs approximately zero attention. This is just a company that got where it was benefitting from open source taking the free toys away thinking there'll be profit in it.
Curious how you handle legal reviews by your customers' shipping AGPL licensed software? We've had a lot of pushback from legal even on licenses like MPL
We're working on a binary build process now. We hope to have something up at https://github.com/golithus soon.
We use MinIO (community edition) a fair amount. And while we like it, it is also becoming increasingly clear that our days of deploying are numbered.
We want to start experimenting with Garage for smaller deployments, and would be interesting to hear of any production experiences there. (Anyone done multi-PiB deployments?)
Other than that we're going to start looking at Ceph/Rook for larger deployments.
garage devs have told me of 10PiB+ deployments in production, but I've never operated one at that scale so I can't share much insight into the experience. Probably best to ask on their matrix chat.
1. MinIO is a business and they don't owe anything to anyone for free.
2. People using the OSS version also are free to express their dissatisfaction.
This is not contract law though. This is about using OSS as a marketing gimmick to get mindshare, penetrate the market and then do a bait and switch.
From one hand, it is within their right to do whatever they want as marketing.
From the other hand, we as the community should be more aware of OSS as marketing vs OSS as we would like to see it.
There is a damage to the community however: this erodes trust in OSS companies, so just like "content marketing" or "influencers" or any other type of marketing, after a while it loses its effectiveness, to the detriment of real "content", real "influence" and real "OSS".
People should understand from the outset that open source contributions from for-profit companies must benefit that company.
For VC-backed companies -- or anything else where it's spend now, profit later -- the bait-and-switch is practically inevitable.
(Or, of course, the company can simply stop contributing, either from going out-of-business, or pivoting, or being acquired, etc.)
If you're considering building long term on oss from a for-profit company you should count on having to pay in the future. You should believe you have a decent understanding of their business model so you have an idea of how much you might need to pay. Of course that's usually very difficult for VC-backed "spend now, pay later" companies, so you might be best off avoiding them for anything long-term or foundational unless you think you can bear to switch, possibly on short notice.
I generally agree with your point. Over the years of being responsible for technology stack choices, I've come to apply one rule of thumb on OSS projects: is the project a core competency of the company behind it or not. For example, Github might open source their language detection library or Shopify might open source some frontend development project. These are not core competencies of Github or Shopify. Their business is somewhere else.
However, if I start a business and open source my core competency, with or without VC money, I will have to turn a profit or die, which leads to such outcomes, from MinIO to Hashicorp.
I agree with all the points you make. Just adding a detail to the following bit:
> 1. MinIO is a business and they don't owe anything to anyone for free.
I don't think MinIO discontinuing the free docker image is really the problem here. Creating and distributing such images cost them practically nothing - either in infrastructure costs or in HR costs. If they find it that difficult, they only need to say it. Either the community or another company will gladly take it up for free. Even other cloud projects have alternative distributions like Bitnami builds.
The real issue is the pattern of behavior that this move exposes. They seem to have removed the web UI from the community edition claiming that it's hard to maintain (another thing the community would have gladly taken up if they were informed). They also stopped updating the community documentation. And these largely escaped attention until the docker build was discontinued. That itself is controversial since much effort wasn't spent in letting the users know that their current image was going to suffer bitrot indefinitely. Apparently there was also a CVE which was fixed in the source. They didn't consider it necessary to at least push the fixed container as a final measure.
All these are certainly hostile and unkind towards the community and it's bordering on dishonesty. They didn't lie. But neither did they do the bare minimum expected when taking such a drastic measure. It's clear that they're withdrawing their generosity for more profits after gaining a lot of mindshare with their earlier offering. I don't believe that the docker image alone would have inflamed the community so much.
I don't think this is really a big deal. Plenty of others already maintain public OCI images of Minio (Bitnami is one example). So long as that's the case, there are options. I'm not familiar with Minio's licensing terms, so maybe they can put an end to that practice if they want to, but I suspect there are drop-in replacements other than the official Minio Docker Hub image.
What Minio is doing wrong here is thinking too highly of themselves. Their product is a fine implementation of S3-compatible object storage. It has some features that make it attractive for selfhosting. It's far from the only solution, though. The harder they make it to use, the more people are going to switch to easier alternatives.
A lot of companies try to lock down their popular open source/free products once they have a large market share. It always backfires.
Hashicorp did this. There's no reason to use Terraform anymore; OpenTofu is a drop-in replacement that is just as good for almost everyone, and all the community support will shift to it such that it will inevitably be far superior to Terraform.
Redis became Valkey. MySQL became MariaDB. OwnCloud became Nextcloud.
There are countless examples. Yeah, the commercial entities continue to exist. For companies that need support and contracts, there will still be a market. But they are destroying their pipeline for new customers. Why would anyone use a closed commercial project with no community contribution when there's a free, open source option that's either a 100% compatible drop-in replacement or a low-effort pivot to a functionally-equivalent solution without vendor lock-in and burdensome restrictions?
Minio is shooting themselves in the foot. Most people don't give a crap what's backing their object storage, so long as it works.
Yeah, I saw that recently. linuxserver.io bundles a lot of apps into OCI images, and I use many of theirs because they tend to be better-designed than official ones—or at least more consistent.
And while some people might be intimidated by it, it's not a huge lift to make your own images. I don't mean to trivialize it, because it's at best inconvenient, and can be challenging. In many cases it's only a few minutes of work to bundle something up. LLMs are great at this. For a Golang app like Minio, it's a piece of cake, since you don't have to install a zillion dependencies manually.
Looking at the change to the README last week[1], it looks like MinIO went from "MinIO has no planned or scheduled releases for this repository" and "
While a new release may be cut at any time, there is no timeline for when a subsequent release may occur." to "The MinIO community edition is now distributed as source code only".
Based on promises alone, I think that means they un-dropped the open source project but still only distribute the binaries to their customers.
What makes me sad is that, as mentioned in other threads, this destruction in reputation could've totally been avoidable. If MinIO had took the time to give out warnings months in advance and help community members (or even other companies) to host the Docker builds somewhere else, there would've be close to none backlash. Yet they've decided to make it such an abrupt transition and especially when a CVE is involved.
It's absolutely stunning that people actually defend this behaviour!
The community is having an outrage - and rightfully so - about a silently discontinued artifact delivery at a very critical time.
Which is their opinion and every human being is entitled to have their own opinion and state it openly.
It is also perfectly fine to expect a standardised behaviour to continue.
However, what is most important is that is perfectly fine to shame an open source product for pulling features and money grabbing people after years of gathering community and locking them in.
I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
You are a farmer, not a big fancy profitable one. Your tractor is from 1970 and works great, when it works. Your wife has health problems and can't really help out around the farm much - kids have gone off - so you just do things mostly by yourself. With your lucky dog Skip by your side. Even though times are tough and money ain't coming in like it used to - you still give free produce to the local schools and shelters. You've been doing it for over 20 years, and the community loves you for it.
But then your wife passes. Medical bills are too high. You can't give away free produce to the local schools anymore.
The community is outraged. They come to your farm with pitchforks. They set your barn and fields on fire.
> I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
Not very much at all. It looks like they're hosting on Docker Hub which doesn't charge for bandwidth. I could create a pro account for $11/month and be able to serve an image billions of times. The compute to build an image is small enough that it can be done at whim on a dev machine.
But when you plug in the numbers: that the farmer raised $126 million, and hosting unlimited Docker Hub pulls costs $11/month, it doesn't quite feel the same.
It's more like the farmer was giving leftovers for free to schools and it was so good that it made him famous. People from all over the country came in, including businessmen who told the farmer he is missing out and should be charging more for his food.
He started a restaurant chain but, the businessmen went further and said that a quality product cannot be given away for free and made him stop supporting schools and shelters which got him rich and famous in the first place. Even tho, he was just handing over leftovers (it cost around USD 100 to host a docker image - yearly)
Think EA, Microsoft and Xbox, Broadcom and bitnami.
I don't understand the point. The entire raison d'être of this project is that you self-host it and don't pay money for S3 and control your supply chain.
If you are denied this possibility — it is much easier just to use S3.
I haven't used minio in years, and when I did I only fiddled around with it, but my recollection of it is that it's about the simplest build chain imaginable. Install modern golang, build minio, get single binary.
Anyone relying on an opensource tool like minio, needs to look at:
* organization supporting it
* the license
* the build chain
* who else uses it?
* the distribution artifact needed for production.
Once you've looked at that you can decide "is this an anchor I want to handcuff myself to and hope the anchor won't jump into the icy blue deep taking me and my dreams with it?"
If the org behind it ever decides to rugpull/elastic you, what're you gonna do? At least with something like minio, if they're still distributing the source it's trivial to build (and if you can't build it you should evaluate if you're in a position to rely on it).
Let's look at other cool open source things like SigNoz which distribute only docker artifacts (as far as I remember, anyhow) -- if they were to rugpull that people relying on it would be totally lost at sea.
This isn't to say that this isn't poor behavior on minio's part, but I feel like they've been signaling us for a while that they're looking to repay their VC patrons.
They have also removed the web UI and stopped updating the documentation for the community edition. The former is not extremely serious as the community can easily replace it. The latter is arguably the worst among all the changes that we know of. While they do redirect community documentation towards its enterprise counterpart, it's becoming clear that the differences in the community edition won't be addressed at all. That will make MinIO community edition less viable over time.
Overall, it's pretty clear that they don't view the OSS users kindly or want them around. I'm pretty sure that they would drop the entire community edition if they could do so legally and without much fuzz. You can expect more like this in the future. So this story shouldn't be seen simply as the loss of a docker image.
Right -- I think it's quite clear that if you're relying on the free minio you need to look elsewhere or peer up with some others and fork it.
And any adoption of a critical piece of software needs to have a risk calculus associated with it of "what if they get bought by CA, invaded by Russia and murdered, murder their wife and go to jail, or dedicate their remaining time on earth to writing haiku?"
Both open source software and commercially supported software have risks and mitigations. I'd argue that you're actually safer with open source software since you can pick up and keep running it, but that's not a trivial undertaking.
Unfortunately yes. I have been looking at one of the well-known VPN infrastructure providers and they use "AI" on their website a bazillion times. Insane.
Ceph is an open source project run by a foundation. Minio is a company backed by VCs looking for a return. There is also seaweedfs, powerscale, openstack swift and hyperstore. The S3 compatible space is crowded.
Curious about one thing - does Ceph's s3 compatible api support oidc based auth? We used to use this with minio before switching to aws s3 and using presigned URLs.
As a user of Ceph it does feel like a truly open source project. Redhat/IBM do sponsor a lot of work on the project but there are lots of other contributors. I have contributed maybe a dozen changes myself and it was quite easy to do and the maintainers are fairly responsive.
The latest release is already available on ghcr and on dockerhub for amd and arm.
Well they have locked the discussion right now it seems but hope the community does something since my brother once asked for how to store audio and I thought that something like S3 could be perfect for it and wanted him to use minio or check it out.
Anyone including MinIO. So why did they stop doing it when it was so easy?
Especially because they haven't provided any reasoning for this decision, so everyone assumes the worst. I can't really think of any reason for this that puts them in a positive light either, can you?
I have a 160TB minio cluster running for 4+ years who had dealt beautifully with node outages, one drive failure and the occassional hiccups on the datacenter.
I was okay with not having support because I am not part of their customer base. I was okay with not having the webUI, though I wish they made an option where the webUI would be available for some basic-tier paid customers. But I can not be okay with this move. They are just giving the finger to all the community. They never tried to work out a solution that could let smaller users to contribute or support.
I will seriously have to consider moving to Hetzner object storage.
Every time I used it for more than that I ran into performance and other concerns (like durability and consistency) pretty quickly. I cannot imagine how this is used seriously when there is something like Ceph available.
Turns out most file systems are horrible key-value stores.
>I cannot imagine how this is used seriously when there is something like Ceph available.
Adopting Ceph is adopting a Ceph engineer, any use-case with the need and funding to run Ceph on production would easily be able to pay for commercial licenses and/or contribute majorly to this or their own fork. They work in different ball-parks entirely
Yeah CI tests and local dev environments for code that runs against S3 in prod. Right now sifting through the alternatives for whatever is easiest to run as a container in Github actions or docker-compose...
I use it to test my tiny written-from-scratch S3 client in my server app. But then I already have it installed, it already works, and I don't care about updates.
Hey Mike Donovan here. I work at Docker and help with the Docker Official Image (DOI) program. If you're interested in a DOI being created to support the MinIO community chime in here: https://github.com/minio/minio/discussions/21655
I'm glad to have migrated to garage in time. This is quite unfortunate though as a lot of open source projects, like plane.so, used minio via container images for s3 with docker compose.
Minions has taken away the admin UI for everything except a bucket browser in one of the last releases.
And now they have stopped publishing updates to their community edition docker images.
As the linked GitHub issue points out this now means at least one vulnerability will be unpatched (unless you install from source or switch the image) for anyone relying on updates to the original container image.
My loss exactly was that minio lost most of its appeal when it stopped having an integrated management console. It also seemed they were moving into a direction where features were gonna be more separated off for their aistore products over the community edition (a fair move but not something I want to happen to my deployment).
I feel like this could be used till the time plane.so or other projects feel like they could migrate to garage or maybe just use these coollabsio minio docker image?
My problem was mostly that MinIO was not significantly better for my use-case then garage after the admin console was yanked. Thank you for the pointer though, I will take a look at this for my plane.so instance (using a private containerized minio there still).
While not notifying of the change earlier is annoying, I also don't see anywhere stated that they're obligated to provide services in addition to just providing me the source. Moreover the build-instructions don't seem complicated at all, anyone already extracting value from this should be capable of pulling the source and keep on running with it.
With docker build comes a whole slew of dependencies that you wouldn't have with official images. You need some place to host the image, or build on the servers you use for deployment, and cross platform compilation (i.e. ARM images) becomes an issue.
It'll take more time than just typing out a comment on HN to get all of that in play. Actually getting a docker registry of your own set up with auth and everything can easily take half an hour, and adding+testing periodic sync and compile steps in your CI/CD will take another couple of hours if you're not set up for it.
Hardly the end of the world, though. Reminds me of the infamous "why can't people on github just give me the .exe" reddit troll post.
Fun, I had just started using it as a the data store for a distributed Rust compilation cache, guess we're moving that somewhere else. Hopefully the choice of NixOS as our server OS will make this easier rather than harder.
What alternatives do people recommend that has at least similar features-set and at least similar performance as MinIO?
> We initially explored a basic admin UI for the community branch but haven't actively maintained it. Building and supporting separate graphical consoles for the community and commercial branches is substantial. Honestly, it is hard to duplicate this work for the community branch. A whole team is involved in console development, including design, UX, front-end, back-end, and pen testing. This commit introduces an enhanced object browser but removes the unmaintained admin UI code.
They deleted the admin UI from the current version of the open-source side. It's time to pay the VCs, the project is being rug-pulled and they're going all in on the enterprise version.
I believe it's too early to judge public adoption. Let's see in a few years if it degrades somehow. For now, they jumped from 55,880 to 56,319 GitHub stars in one day.
From the product side, I don't see how this should affect new adopters who didn't read the hn post yesterday
Lots of people in this thread keep repeating the idea that, "Nobody owes anybody anything".
Sure, just like nobody owes minio goodwill or business. People sour on these kinds of things because they feel sneaky and backhanded. It tells you something about the kind of people you're working with.
Imagine if a food kitchen suddenly started charging for the food, without notice. Or they started charging to use changing rooms in clothing stores. Etc, etc. You'd, rightly, expect a negative reaction, even if the "food kitchen doesn't owe anybody anything".
The biggest misstep in these situations is the corporations avoiding being honest and communicative about why the changes are suddenly necessary. We all know, intuitively, that in most cases its because it's not for a good reason. It's because they are greedy or otherwise feel pressured to show infinite growth.
I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.
What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.
> Leaving a known unsafe version as the last release is irresponsible.
I think they should have done a better job of announcing this ahead of time (or at all, really); but there's realistically never going to be a CVE-free release to stop on, because the next CVE is just around the corner.
I'm not sure why I got downvoted here. Minio's behavior here is shitty - but in a day or a month after the last image is released, there /will/ be a CVE that affects that image. By GPs statement, when are they then able to stop releasing?
Maintaining docker builds isn’t that huge of a burden (and likely very useful for them too), and they’re delegating hosting to a third party… I don’t get what they’re trying to achieve here.
What are folks doing who were just using it for CI/test/dev environments? Just build the image yourself? Use Garage as some have suggested? I'm curious what people see as the pros and cons.
On one hand, MinIO isn't obligated to anyone... on the other hand, there's a lot of people who now feel obligated to not use MinIO anymore. Given that MinIO won't patch their container images, are obligated in many cases. A Dockerfile that actually builds instead of copying binary blobs should be as simple as one that executes `go build`. So a fork that just adds that one step seems inevitable. Seems such a waste on many levels.
Why? The maintainer in the link chooses to be a dick and refuses to explain literally any of the weird decisions they've been making. That would at least help people understand?
This reminds me about the bitnami containers. They pulled the docker images so everyone migrated away because they fear they will also pull the artifacts building the project. They never said that. They seem to be continuing to updating the projects and providing access to the artifacts. It is very easy to build the dockers... it is just a dockerfile really... There is really no upside to stop updating the projects, it is free marketing...
Shame. Textbook OSS rug pull. These people love to rely on OSS, and claim how committed they are to contribute to the ecosystem and to their community, but as soon as people are drawn to the project, start relying on it and using it in the same spirit of OSS that they enjoy themselves (which their chosen license allows, mind you), then it becomes a financial burden, priorities shift to their commercial offering, there's no "bandwidth" to maintain and support the "community" edition, and so on.
STOP ABUSING OSS AS A MARKETING GIMMICK.
Or perhaps an advice to people who might actually listen: stop being attracted to open source projects because of the word "open", and because you can use it gratis. There are plenty of good proprietary and commercial software whose authors treat their users with more respect than these leeches of good will and abusers of trust.
I'm not against OSS being commercialized. In fact, I think that it's crucial for maintaining a healthy project in the long-term[1][2]. But this lingers on the developer having respect and equal regard for all their users, regardless of how much they're paying them. Yes, nobody working on software should be expected to work for free. But there is a philosophy behind this movement that goes beyond a financial transaction. It only works if everyone in the ecosystem is honest, and first and foremost has the intention of making the world a better place for everyone, by not only depending on others who have this mindset, but by adopting it themselves. Claiming to be part of the OSS community, but being hostile to your OSS users is dishonest at best, and worthy of all criticism.
>It only works if everyone in the ecosystem is honest
In general, applying this to anything with the general public, I don't expect it to work. This is why we have laws, licenses and rules in the first place. You can preach all you want but it won't change humanity, you need something concrete, something written and agreed, like a license.
Not all licenses protect the freedoms and rights you're used to in other licenses, and it needs to be taken into account when adopting any project. License terms that don't guarantee any sort of support or updates when you need them aren't in consideration at that point.
If you don't trust people, then OSS is not for you.
You can't claim to provide software as a public good, while also gatekeeping it only for specific groups of people. If you want to do that, then choose a restrictive license, with the exact terms of use you're comfortable with, and don't work in the open to begin with. That is a valid strategy if your main priority is getting paid.
My objection is towards people who use OSS licenses, but then take issue when others actually use the freedoms they've granted, and proceed to enshittify the project by removing features, putting them up behind a paywall, and in general being hostile and ignoring the user base they've gained in large part thanks to OSS. This is using OSS as a marketing tactic, which undermines the whole point of open source and the free software movement.
This is interesting. I've recently been doing quite a bit of research into what my "future stack" is going to be for backend. MinIO regularly came onto my radar but one heuristic (among many) I use to determine which software is TRULY open source and which is far less likely to remain open source is whether they even provide a link to their Github page and prominently display it on their website. MinIO was triggering my "not really open source" radar for this reason.
I'm still dabbling but have kind of latched onto the idea of using Ceph. To my understanding they were acquired by RedHat, and the project has all the signs of real open source, including the fact that it originated as a doctoral research project at the University of California, Santa Cruz, with initial funding from the U.S. Department of Energy.
While I understand the frustration with MinIO’s approach here, I want to be upfront about what Cloudian HyperStore is and isn’t - it is designed for multi-node, multi-site deployments (think 3+ nodes minimum) and performs best on bare metal or dedicated infrastructure rather than containerized environments.
It’s a very mature S3 and offers IAM, SQS and STS endpoints as well.
If you’re running MinIO at scale in production and looking at migration options, I’m happy to connect you with our team who can discuss whether HyperStore makes sense for your use case.
That said, for single-node dev environments or lightweight deployments that many here are using MinIO for, the community alternatives mentioned in this thread are probably better fits. Different tools for different scales.
Happy to answer any technical questions about HyperStore’s architecture if helpful.
No, Cloudian did not develop MinIO - completely separate companies. MinIO was developed by MinIO Inc.
Cloudian makes HyperStore, which is our own S3-compatible object storage solution. We’re a competitor to MinIO, not affiliated with them in any way.
It is unfortunate, but somewhere you need to draw the line, if you are planning to stop releases. If they fix this, how about the next? Why fix this one but not the next CVE? Is the reaction same next time and they end up fixing endlessly?
IMO they should've waited at least a month after updating their README. The timeline is rather short.
It'll be hard to convince people to buy their commercial offering after pulling something like this.
On the other hand, they did the work for free, so it's up to them to decide when to stop doing that. Plus, anyone can fork the repo and maintain their own version with fixes and docker images and everything.
Just make a fork and release built images via github actions with ghcr. Then ask people to switch to it.
The great thing about open src is the ability to walk away. removed features in new release? fork and put it back. quit complaining and be the change the world needs you to be
I am guessing here but I do understand why they want people to open source the management code of minio and in some cases how it is integrated into a product. I understand that AGPL might not be written for these requirements but I think it is time for a new such license.
If it is part of a SaaS product that is sold I can definitely understand why this is important.
> "When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
Quite a downward spiral for them. Wow. I mean I get the yearning for turning a profit, but this is yikes. This is the type of thing that guarantees most people using your open source / free variant never return.
THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM *"AS IS"* WITHOUT WARRANTY OF ANY KIND
They have no obligations to provide documentation, binaries or anything beyond the source code.
I personally think this is a better option than migrating from an open source license to a source available and I would like more project adopt this approach from the beginning of their projects, to set people's expectation right.
Which would be very relevant if anyone were trying to sue them for this - which no one is.
The license establishes the limits of legal requirements and responsibilities. It doesn't shield you from criticisms and people being annoyed with you.
It's sad to see a company that built itself using (and yes I purposely choose the word using) the community abandon the community in pursuit of maximal profit.
I think Minio is the only Go client for S3 API and S3-compatible APIs. I cannot say I liked using it, but I had no choice. Nowadays I run my own file storage with my own API, so I no longer care.
I've used the minio-go client library for about a year now. I don't see anything in the minio-go README or elsewhere to make me think it will no longer be supported. In fact, the most recently merged PR was yesterday. There are some other Go S3 clients, like https://github.com/kelindar/s3, but I don't know if any other Go S3 clients have the complete set of features that minio-go has.
Incidentally there is a open source S3 project in rust that I have been following. About a year ago, I applied Garage images to replace some minio instances used in CI pipelines - lighter weight and faster to come up.
They created their business on open source. Free software was their top of funnel. Free customers become paid customers, and fund the business. They are more than welcome to change this, but there is no way they don't end up with egg on their face, and that's what we're seeing here.
I was not familiar with MinIO until this post and I see now 694+ upvotes!
Can anyone give me some background on why MinIO is/was so used?
So many people want to self-host S3 compatible software?
Just asking, very curious about the whole thing!
Am I getting this right - someone has been providing things for free for a long time and now people are complaining that they are relying on getting things for free and the "someone" cannot just change this?
Shameless plug: try Minimus! Minimalistic and always updated container images. We have the MinIO image and it is always up to date. https://www.minimus.io/
Have been looking for minio alternative for long already. Found versitygw lately and would like to share the joy. It feels very promising. Fits to many small or lab use cases.
It does not actually solve the trickiness of managing large storage but relies on the backend (that is usually fs like zfs in small setups).
However, seems to be quite new project plus the risk, that the owning company takes it to bad direction, is there too.
Any recommendations for a simple S3 implementation for a local docker-compose development setup for mocking S3? Ideally with a nice UI to check/manipulate files.
A developer not offering builds themself is a common thing in package managers, like apt or pacman. I don't get why it should be any different for Docker images.
They've also tried to claim AGPLv3 will infect any networked client code too: "Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations. The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO." -- they've since removed that, utterly unsupported, argument, but the lesson to take home is they're really trying to prevent any non-paid use.
To everyone who gets blocked by this: I prompted Haiku 4.5, Anthropic's cheapest current model, in Claude Code with "Read this github issue: https://github.com/minio/minio/issues/21647 I need a new docker image for the latest minio version. Make it so.". It wrote a Dockerfile, I asked it to build it (not only am I incapable of finding and downloading the Dockerfile from the repository myself, I'm even incapable of remembering how to "build" a "docker"file). It spew out an error which the cheapest model promptly fixed and gave me an image.
You need to be able to do this personally or you should not be running a durable storage cluster in-house. Just pay AWS. You need to add more value to your employer than you cost, and if Anthropic's cheapest model can beat you at such a task then it's not a good look.
I'm trying to be charitable here, but you're being incredibly obtuse in your response. The issue here is very much not that someone has to build a Docker image. There's already a Dockerfile in the repo that works to build it, you didn't even need some LLM to do that for you. That's not the issue. The issue is that their existing Docker image has billions of downloads and they simply stopped publishing updates unilaterally with no material attempt to communicate this to their users when the current image is affected by a critical CVE that will now never be fixed.
If you don't understand the difference between these two issues, I would suggest it is /you/ that lacks the ability to add sufficient value to your employer (as if that's even a standard we should care about We are people, not merely cogs in some VC's wet dream).
The LLM stuff aside, how is minio supposed to communicate with the people who pulled their docker image?
The time line is rather short (the README announcing source only releases got updated a week and half ago) but it's not like Docker will let you email everyone and say "you're using one of our products, read this post about our new distribution model", probably for good reason. I can only imagine the "vulnerability" warnings flooding the world if every pulled container opened an avenue for emails.
I wouldn't buy their weird AI product off them after they behave like this, but this is software they've been maintaining and giving away for free, for years. Unless you have a contract with them where they promised maintenance, I don't see why this is on them, really.
The company can go bankrupt tomorrow and you won't even be able to pay them to update their images. Maintaining your dependencies is your responsibility, especially if you're not paying them a dime.
Open source is sick. Everyone wants it (both to maintain a successful project, and to use them) until you maintain a popular project for a reasonable time then your realise you're getting used for fuck all value.
We need a healthy way to support open source developers. This isn't working. Companies are taking advantage, and individuals are overwhelmed with choice and have delusional expectations.
It would be cool if The Linux Foundation had a fund to support open-source devs with stuff, like a stipend or hosting costs, kind of like what exists in the hospitality space. I know that this sort-of exists, but it feels distributed amongst a few big companies and is entirely at the whims of their quarterly performance.
They changed their license to AGPL, removed features (Web UI, etc.) and now they don't provide docker images/binaries. It's their project but; what's next?
I used MinIO for local dev. I can use S3 or R2 in some cases instead. Kinda crazy to find out that people use these Docker images in production. Why on earth would you do that?
Since the whole docker thing where people were complaining about having to pay 10USD, I am happy when OSS projects pull the rug, tech bros you're paid to solve your company's issues, nobody in OSS owes you anything, go earn your salary and build the docker image that fix the CVE, or stfu
We all know you don't care about loyalty correctness or anything, you just someone to do the work you're paid for
Spot on. The number of people who are seemingly completely lost without a free DockerHub build is terrifying. Maybe it explains why software quality has degraded so much over the last several years.
are you saying there's a bunch of human centipedes bopping around here who are both the people who would do the minio rug pull as the ones who complain about not getting free services?
Still don't get why on earth anybody would run a Docker version of MinIO in production. And why is this even a problem. Not like you put a private storage service on the Internet? Or do you? The incompetence of the average HN user is just mind blowing.
They abandoned documentation (edit: for the open source codebase) a couple of weeks ago - that seems more significant.
From their Slack on Oct 10:
"The documentation sites at docs.min.io/community have been pulled of this morning and will redirect to the equivalent AIStor documentation where possible". [emphasis mine]
The minio/docs repository hasn't been updated in 2 weeks now, and the implication is that isn't going to be.
Even when I set up a minio cluster this February, it was both impressively easy and hard in a few small aspects. The most crucial installation tips - around 100Gb networking, Linux kernel tunables and fault-finding - were hung off comments on their github, talking about files that were deleted from the repository years ago.
I've built a cluster for a client that's being expanded to ≈100PB this year. The price of support comes in at at slightly less than the equivalent amount of S3 storage (not including the actual hosting costs!). The value of it just isn't that high to my client - so I guess we're just coasting on what we can get now, and will have to see what real community might form around the source.
I'm not a free software die-hard so I'm grateful for the work minio have put into the world, and the business it's enabling. But it seems super-clear they're stopping those contributions, and I'd bet the final open source release will happen in the next year.
If anyone else is hosting with minio & can't afford the support either :) please drop me a line and maybe we can get something going.
>The price of support comes in at at slightly less than the equivalent amount of S3 storage
That's absurd. I would be running to NetApp and Dell for competitive object storage quotes then. Haven't done pricing on either one recently but at least a few years ago they were roughly half the price of S3 all in (including hosting costs).
> half the price of S3
No one other than hobbyists is paying full price on AWS.
27 replies →
Cloudflare is the cheapest, from what I understand, due to free egress and competitive pricing: https://www.cloudflare.com/developer-platform/products/r2/
Dell is one the VCs they raised capital from =(
During an upgrade, I discovered that the console had been removed without any prior notice. MinIO really pissed me off. Over a month ago, I started looking for a MinIO alternative and found RustFS. I've been testing RustFS for over a month now, and the product continues to improve, with the community fixing bugs very quickly. I hope YC will invest in this company.
At the same time, I'm concerned that a YC investment means more of the same, eventually: open-source until it's no longer fiscally prudent.
5 replies →
Nothing like VC or IPO to ruin a perfectly good product...
12 replies →
There is a nice table here
https://github.com/rustfs/rustfs?tab=readme-ov-file#rustfs-v...
comparing RustFS to MinIO, including a claim about the MinIo support price.
6 replies →
Eh... however, I must add a strong note of caution. On their README, it states:
> RustFS is under rapid development. Do NOT use in production environments!
Also note that it seems to be a Chinese company (北京恒河沙科技有限公司), so security issues might arise.
That does sound much worse than hiding the pre-built images from users. I hope that documentation is archived. There's probably some benefit in documenting those installation tips elsewhere besides Github comments.
Yeah, running binaries of varying qualities taken from all sorts of places is a bad idea anyways. Distro packages are generally more consistent or even running "go build" yourself is probably better in this case.
But pulling existing documentation is a whole different matter. One can argue that they don't have an obligation to maintain the docs, though it would effectively make continued use of newer versions untenable. But pulling existing ones is an unnecessary rug pull when it doesn't cost anything to keep it online. It's a big middle finger to open source.
I'm sure it's been scraped to be regurgitated by a whole slew of LLMs.
old documentation doesn't help when the software changes
Well, gosh. Maybe I’m glad I didn’t get that documentation job with MinIO after all.
Unrelated but i find it funny that the Microsoft logo on the Install on Windows section is upside down on the redirected link docs.min.io/enterprise/aistor-object-store/
With 100PB clusters being built and not a cent going to them, you can see why minio has gone this route. I wonder if they will be "valkeyed"? Not by AWS presumably.
That's the open source model. It's entirely predictable that if you provide software at no cost that is capable of running 100PB clusters, that some people will and you won't get paid, because those are the terms that you set.
It's fine to change your mind, but doing it in this way doesn't build goodwill. It would be better if they made an announcement that they would stop creating/distributing images on some future date; I'm sure that would also be poorly received, but it would show organizational capacity for continuity.
If I'm considering paying them for support, especially at the prices quoted elsewhere in the thread, I need to know they won't drop support for my wacky system on a whim. (If my system wasn't wacky, I probably wouldn't need paid support)
2 replies →
That's a strange mindset, IMO. I'd be pissed if I had to pay $0.10 every time I turned a rachet, and it's weird to expect companies to have usage-based monetization on the tools they've made for others.
19 replies →
> I wonder if they will be "valkeyed"? Not by AWS presumably
Almost certainly not, due to the AGPL license. I know Nutanix got into hot water about distributing Minio so I don't think any big shop will fork it.
6 replies →
If they charged a cent, would people adopt it in the first place?
They still got paid for those free users. Via investments. Cash is cash. I don’t KNOW what the RIGHT business model is, I don’t run MinIO, and neither do you.
1 reply →
Wait until you find out how much compute is being run on Linux without a cent going to Linus.
Nah, it's fine. It's Open Source, you can document it yourself if you need to! But there is no obligation from the MinIO authors to provide it, you're not entitled to it.
It sounds like you’re being sarcastic but what you say is correct and true.
2 replies →
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
78 replies →
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
</rant>
26 replies →
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
9 replies →
I don’t know much about the MinIO project specifically, but to me it seems to be a common misconception that just because a maintainer provides their software project under a permissive license (such as AGPL, MIT, etc.) would necessarily imply that they do this for particular ethical reasons, like caring about “the community” (whoever that is) or contributing something for the greater good.
In the end, it’s just software made available under specific terms. While I understand the inconvenience for users if things change, it feels like part of the disappointment might stem from one-sided expectations.
Compare to bitnami: https://github.com/bitnami/charts/issues/35164
Recently switched from bitnami to minio here, with plenty heads up & they scheduled brown outs etc, along with legacy images to fallback on for users who don't get informed by anything until image gone
This is also becoming a trend with open source projects turning into source available projects with obscure and hidden ways to deploy them to prevent average users from running the software in their homelabs etc.
> you are creating an expectation
thats entitlement but seen from the other side.
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
This only inconveniences open source freeloaders. Maybe you can volunteer some time to build Docker images?
9 replies →
MinIO is not actually open source, their source code is just public.
The company I work at spun up a MinIO instance, and we got hounded by MinIO lawyers claiming we had to pay because "hosting MinIO alters the source because of injecting configuration" and therefore violates their open source license.
There have been multiple hacker news threads about this:
- https://news.ycombinator.com/item?id=32148007
> It's an Open Source project - I don't understand what people are complaining about
MinIO is a commercial company that provides some open source components and some paid components and services.
This meme where nobody is allowed to be unhappy with anything when the phrase “open source” is involved is getting old. In the span of two paragraphs your comment discovered why this is frustrating people: They have been providing certain things in the open source leg of their operation and then yanking them and stuffing them under a very expensive commercial leg later, after people have begun using them.
Being upset about that is reasonable and understandable, even if it triggers some of the people who believe “open source” means nobody is allowed to be unhappy with anything, ever.
Company makes Open Source. Open Source community enbraces it, helps it to become the defacto standard.
Company does a rug pull because they are unable to make a proper business out of it and leaves the community hanging dry.
Removing the container image build step, which was ALREADY THERE, and doing this internaly only, is the gatekeeping they are now doing.
Its like 0 effort to provide these images.
And yes pricing pages like this is always the same: You don't get any deal below 1k / month minimum because they have some pre-sales people and a payment pipeline which doesn't work for anything small or startup like.
Somehow i don't get MinIO anyway. They got over 100 Million of investment for an S3 system. Its basically a done product. Its also a typical 'invest once build it once, keep it running' thing which can easily be replicated with a little bit of investment from other companies.
I have no clue how they ever got valued over 100 Million.
> Its like 0 effort to provide these images.
I love it when entitled folks both expect to use someone else's work AND immediately downplay someone else's effort (no, I am not affiliated with Min.IO, just saying if you are scared of building a docker image yourself, maybe you should not downplay someone else's effort).
6 replies →
It's legit. Just gives people the impression that it is sabotaging the community. I understand why they do it (the more inconvenience the more likely people are gonna pay), but wish companies are more thoughtful on open sourcing code and how to differentiate enterprise offerings at the beginning, rather than playing tricks after gaining tractions.
They are entitled to stop building docker images. Their users are entitled to get salty and go find alternative products.
If that is Minio’s expectation, then all is good, but it seems kinda counterproductive? I never liked minio, but I certainly wouldn’t use it after seeing them remove features.
They removed the admin UI from the web frontend in the f/oss version some months ago, too. I updated for security reasons and they'd stripped the functionality out. It's a jerk move.
MinIO is open source cosplay.
I wrote this back in July: https://sneak.berlin/20250720/minio-are-assholes/
>I certainly wouldn’t use it after seeing them remove features.
All sorts of projects remove features all the time though, even the linux kernel drops support for hardware that may or may not be in use somewhere
>Their users are entitled to get salty and go find alternative products.
People are entitled to feeling things of course, others will only point out that it may not be justified and that the user is liable to get hurt again if they never adjust their expectations to meet reality
1 reply →
> I don't understand what people are complaining about. Noone is entitled to receive free Docker images.
Every time I read something like this, I recall this post from Rich Hickey[1][2] on why no one is entitled to benefit from another human being's goodwill and time.
From the post:
> The only people entitled to say how open source 'ought' to work are people who run projects, and the scope of their entitlement extends only to their own projects.
> Just because someone open sources something does not imply they owe the world a change in their status, focus and effort, e.g. from inventor to community manager.
[1] - https://news.ycombinator.com/item?id=18538123
But not everything can be "fair game" when providing a service for free. Surely it wouldn't have been OK if they suddenly included a bitcoin miner or extracted credentials. They offered a free service, people trusted it, depended on it. Now, in my view, they have some responsibilty to their users.
Giving a notice in advance and releasing a final image that patched the CVE would've been reasonably responsible.
Certainly, there are some pretty entitled people on that github issue.
But this attitude is too far the other way. Fair enough, you are under no obligation to continue providing a free service. But isn't it fair to give a bit of notice before withdrawing it? Especially after doing it so consistently for so long. Not legally required, sure, but polite.
They haven't even given notice after withdrawing it! They just waited for someone to realise and ask about it.
Bear in mind that many paid for services, on a subscription basis, technically allow the seller to change (i.e. reduce!) the service at any time. If they act in bad faith to their free tier, what should you expect about their paid tiers? You could argue you also shouldn't be using paid services that could behave that way but I think you'd struggle not to.
I agree with what you said, but I think “courteous” might be a better word than “fair”. Whatever word you use, I take it as a sign that unpaid use isn’t as welcome as I thought.
> They haven't even given notice after withdrawing it!
Beggars can't be choosers. It's not fair to not give notice before no longer providing something for free? Come on now.
Years ago I worked in customer service. There was this guy who came in to to motivate us. He talked about the work of someone named Bob Farrell who had a chain of ice cream shops and sold burgers. He had received a letter from a disappointed customer. The customer had been given the extra pickles on his burgers for years and now one of Bob's employees told him he now had to pay extra for it. The customer said he'd never come back. Bob could have said "what an entitled idiot" and kept charging for pickles but he took that letter as a calling for how you should treat customers - just give 'em the pickle. It costs you next to nothing to give the customer the pickle and it makes them happy.
Minio doesn't have to give non-paying users anything, but the story still applies. Give them the pickle. It costs nothing in the grand scheme of things, and if it does, ask for donations like any open source project would do to cover your costs. But as others have pointed out, Minio is not an open source company, they are a commercial company that has source available.
> Minio doesn't have to give non-paying users anything, but the story still applies.
How on earth does it apply when your complete example story relies on the satisfaction of the paying customers. If you're not paying, you're not a customer - you're a user.
3 replies →
Well removing any distribution after a CVE is a nice touch ...
> I don't understand what people are complaining about
Talk is cheap. People will complain about something they’re not legally entitled to because there’s no downside, only an upside if the company backtracks.
In the background they are probably creating tickets to mitigate the risk if the complaining doesn’t work. It’s perfectly rational.
I don’t understand the people who don’t understand this.
You're correct, however:
1. The MinIO image on Docker Hub has more than a billion downloads [^0]. With those download counts, people have almost certainly written scripts that rely on this image existing (including their own Dockerfile! [^1]). Them leaving these images around is just asking for security breaches later down the line.
1b. While, yes, no-one's entitled to freely-available container images, it cost them almost nothing to maintain their existing toolchain for this. Them deciding to pull the plug is purely and entirely a money grab (and a dumb one, if you ask me; look at how the community responded with OpenTofu when Terraform when BUSL).
2. Fortunately, MinIO is a Golang app and can be built with a simple "go install" (though the build instructions in their docs don't align with the build recipe in their Makefile [^2]). However, they could pull a Tesla and make the source that they publish differ from the source that their binaries are built from.
3. They gave NO notice. That's the slimiest part of all of this. Tens of thousands of Kubernetes clusters, and handfuls of enterprise products, run or package MinIO that are now using images that will no longer be updated. All of these people will need to completely change their toolchains to account for that, and soon. That's just not a kind thing to do.
[^0] https://hub.docker.com/r/minio/minio/tags
[^1] https://github.com/minio/minio/blob/master/Dockerfile
[^2] https://github.com/minio/minio/blob/master/Makefile#L179
"It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. "
While this is true, in all of these discussions, somewhere the notion of responsibility often gets lost.
If you publish a project, encourage people to use it, promote it heavily, etc, then get lots of users, and then decide to kill it, while it's true you legally owe nobody anything, it's sort of crazy to claim people are acting entitled when they complain.
After all, you encouraged people to use it and promoted it!
Again, do you legally owe them anything? Nope.
I am much more empathetic towards those who get surprised by the growth of their projects, or otherwise didn't try to make their project popular and decide to quit when it becomes too large too quickly and becomes a burden.
In general, if you try to encourage lots of people to use or do something and succeed at that, you end up with various forms of social responsibility to those people. That's true in most things, not just open source.
Open source does not get a pass at this social reality simply because, as a legal reality, those users are not owed anything.
Back in July I clarified precisely what people are complaining about. It should clear up the matter.
https://sneak.berlin/20250720/minio-are-assholes/
You don't understand, or don't agree with the complaints. Those are two different things, and I suspect you understand why people are complaining and instead disagree with the complaints.
People are complaining because something was available, they adopted it, then it was discontinued. Apparently with little warning, and after they'd been encouraged to adopt it by the provider of the images.
As it happens, I agree with the general idea that if folks are not paying for the convenience of builds, then it's on them to work from source. However, it's better IMO if a vendor or project start from that position rather than what's seen as a rug-pull.
Of course, it's part of the playbook: when something is new and not widely adopted, the vendor goes to great effort to encourage adoption -- then the vendor starts looking at the paid vs. free usage and sees "huh, we have a 10000:1 ratio of paid to free users, including ten megacorps that show up grabbing binaries every 10 minutes for their CI/CD farm, and asking questions in our forums, but aren't paying a penny toward development and our investors are getting pissy."
Exactly. looked up their github to see what the big issue was about and they still provide the full source + the Dockerfile. It's not a huge issue that it is being made into. Does no-one know how to build a Docker image any more?
But a properly built image is a nice part of a product release.
Building a quality production ready image is not trivial, and it's always welcomed from the vendor.
Usually it's the short notice that gets peoples' hackles up. It's kind of a dirty trick. Everyone knows things can change.
Uh this is a superficial take. It almost certainly took more effort to hide the images from the public than to publish them.
The community that made them is being shit on.
Or one can just use old images. Which is what many people started doing after their other fuckup - removing perfectly working web UI from free version.
They just can't stop shooting themselves in the foot that didn't even heal from last time.
The last tag with a working web UI is RELEASE.2025-04-22T22-12-26Z btw.
Terrible advice when a CVE is being discussed.
Keep in mind this is the same project that removed all useful functionality from the included web UI in the community edition with the excuse that it was too much effort to maintain.
This is another case of VC-funded companies pulling up the ladder behind themselves.
Is it an excuse? Maintaining code costs money, and the previous versions are provided under the license, and you're free to modify it, pull selective patches and maintain them yourself. While It'd be convenient if the license was a promise to develop and maintain features for free in perpetuity, it just isn't.
I run into this in non-company backed open source projects all the time too. Some maintainer gets burned out or non-interested and all they're rewarded is people with pitchforks because they thought there were some sort of obligations to provide free updates and suppport
It is sort of an excuse. I don't use MinIO precisely because of this kind of behaviour - if I cannot easily develop, configure and test our applications, I'm not adopting it commercially, specially when there are a ton of options to choose from. In the end, this hurts the MinIO's enterprise offering. Having a robust, easy to deploy community edition, with predictable features, is a great way of allowing integrators to develop and test using your product, and to help the product to gain traction.
It's different as a) they did offer it for free and b) have to maintain it for the closed version.
However, this is also a classic move, so shouldn't be unexpected behavior these days...
Conversely, if instead of making your users happy to pay you, you've made them happy to use your stuff for free, you own the consequences when you stop giving that stuff away.
Welcome to HN BTW, I see you were inspired to sign up and defend the project owner.
These are the same people who get mad at Red Hat because they think the 5K people who develop, maintain, and test all of the software do it for free
[dead]
I understand the frustration; however using anything VC-funded, you are not paying for, is pretty risky.
It's still risky if you pay unless you have a contract guaranteeing what the renewal price would be.
It would be useful to have some kind of future feasibility risk analysis service for open third party dependencies.
Something that can be plugged into CI.
Perhaps something like this already exists?
What ladder are they pulling up? Feel free to fork the last valid commit and make a competitor.
The ladder is still there! See that pile of wood there? That's where we put the rungs. And if dig in that hole over there you might even find the extension we removed last week...
1 reply →
I'll let docker's security team know that an insecure, obsolete docker image is being served and the maintainers have officially acknowledged they will no longer support it.
Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
You're letting docker's security team know that they're serving Ubuntu 14.10? https://hub.docker.com/layers/library/ubuntu/14.10/images/sh...
there is a major difference between having an old image available and having it tagged as latest with no updates beeing available on a channel that before that published all updates with nearly no time delay
Someone seem to already be at it on Discussions https://github.com/minio/minio/discussions/21655
So that's not the same thing. Docker "official images" are a category of curated docker images. Minio is not one of them. The official curated images are here: https://hub.docker.com/u/library
The minio image is basically a community one that anyone could have created, but still shows in overall docker hub. It's created by minio themselves. I'm kind of surprised they haven't removed it, but with over a billion downloads they are easily in the top ten of whatever category they fall under creating substantial free advertisement.
2 replies →
Oh that will be an interesting discussion to watch.
> Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
Why is that the best? MinIO is not the type of thing that people ought to be directly making available on the Internet anyway, so CVEs are mostly irrelevant unless you are an organization that has to keep on top of them, in which case you certainly have a process in place to do so already.
People straight pulling an image off Dockerhub (so not a particularly sophisticated use-case) to run seem like they'd be the least likely to be impacted by a CVE like this. The impact is apparently "[it] allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope". Are people pulling from Dockerhub even setting up anything but the absolute most basic (Allow All) ACL?
Zero trust is the way to assess threat. Not Internet access or not.
2 replies →
Regrettably Docker has let me know they are uninterested in taking any action.
"Hello,
This does not qualify as an infringement to our Terms of Use policy. Deprecating such images and repo(s) is the responsibility of the owner and we recommend you reach out to them. Docker advises its users to opt into using images under our official programs and offerings such as Docker Official Images and Docker Hardened Images.
Thank you, Security@Docker"
In their ToU under section 6.6, they outline how they may scan images for vulnerabilities and request the owners of said packages fix it, or simply remove it from their site. They clearly do not do this though even when notified of the high criticality vulnerability.
Unfortunately I don't think they're going to get involved there. There are already multiple "official" images on Docker Hub that are unmaintained and have plenty of CVEs (e.g. Centos https://hub.docker.com/_/centos/tags)
I think the most they'd do is add the DEPRECATED note to the Docker hub page as they have done for things like Centos
Imagine the absolute chaos if docker would do that, pull vulnerable images offline. Not a single company would be able to build their software anymore.
Actually, Docker did something like that, where they limited the amount of docker images they would host for you for free to a reasonable number. The result was pretty similar to this current outcry: https://news.ycombinator.com/item?id=24143588
[dead]
...Or just spend 10 minutes and familiarise yourself with the basic docker build command? Its really dead simple.
Then you have to maintain a pipline and registry just to fix something that should be fixed upstream?
2 replies →
Not a full replacement but there is Garage, which was quite well received in other HN threads.
https://git.deuxfleurs.fr/Deuxfleurs/garage
Afaik Ceph has its own object-storage functionality as well, which seems to be S3-compatible: https://docs.ceph.com/en/latest/radosgw/#object-gateway
Yeah. They also created a open source test suite for S3 clones.
https://github.com/ceph/s3-tests
1 reply →
I believe you're forced to have your data backed by a Ceph OSD. Whereas Minio can point to an NFS share on a NAS.
3 replies →
Can vouch for it as an adequate self-hostable option. It has some missing features, compared to Minio, and is less compatible but works for most applications.
could you elaborate on this? we're looking at moving off cloudflare r2 in the somewhat near future and garage is on our short-list
3 replies →
I find garage to require quite a lot of fiddling.
Care to elaborate?
1 reply →
Garage uses the AGPL v3.0 license, which is not an open source-friendly license.
Doesn't support if-match.
The title of the HN submission might look a bit misleading. It's easy to misinterpret it and think MinIO stops being open source (which would be a bigger deal IMHO).
I think this would be better: "MinIO stops distributing free Docker images"
---
See also the relevant README section: https://github.com/minio/minio?tab=readme-ov-file#source-onl...
OK, we updated the title to your suggested one now.
What was the previous title?
1 reply →
For those left wondering what the original title was, it said minio went source-only.
I don't see the problem in either case. For a Gentoo user, it changes nothing.
That was my interpretation of the title when I first clicked it. Still interesting but easy to misunderstand nevertheless.
We [0] use MinIO with for our clients so we've just thrown together a nightly build process. Use/fork as you wish:
https://github.com/golithus/minio-builds
Example use:
[0]: https://lithus.eu
If anyone is wondering, the Dockerfile for this repo (thanks for sharing!) basically just copies the binary in, it is a 19 line dockerfile.
I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself.
https://github.com/golithus/minio-builds/blob/main/Dockerfil...
>I see both sides of the argument here, the people maintaining minio should not have to push docker images for free, it is work to maintain and test, especially across all the host platforms. And, this work isn't that complicated if you want to do it yourself
I don't. It's automated, it needs approximately zero attention. This is just a company that got where it was benefitting from open source taking the free toys away thinking there'll be profit in it.
2 replies →
No problem!
And it is very true. Although the binary does also need building, which is also handled in the above actions workflow.
Curious how you handle legal reviews by your customers' shipping AGPL licensed software? We've had a lot of pushback from legal even on licenses like MPL
We're working on a binary build process now. We hope to have something up at https://github.com/golithus soon.
We use MinIO (community edition) a fair amount. And while we like it, it is also becoming increasingly clear that our days of deploying are numbered.
We want to start experimenting with Garage for smaller deployments, and would be interesting to hear of any production experiences there. (Anyone done multi-PiB deployments?)
Other than that we're going to start looking at Ceph/Rook for larger deployments.
Done: https://github.com/golithus/minio-builds
garage devs have told me of 10PiB+ deployments in production, but I've never operated one at that scale so I can't share much insight into the experience. Probably best to ask on their matrix chat.
I think both sides of this argument are correct:
1. MinIO is a business and they don't owe anything to anyone for free. 2. People using the OSS version also are free to express their dissatisfaction.
This is not contract law though. This is about using OSS as a marketing gimmick to get mindshare, penetrate the market and then do a bait and switch.
From one hand, it is within their right to do whatever they want as marketing. From the other hand, we as the community should be more aware of OSS as marketing vs OSS as we would like to see it.
There is a damage to the community however: this erodes trust in OSS companies, so just like "content marketing" or "influencers" or any other type of marketing, after a while it loses its effectiveness, to the detriment of real "content", real "influence" and real "OSS".
People should understand from the outset that open source contributions from for-profit companies must benefit that company.
For VC-backed companies -- or anything else where it's spend now, profit later -- the bait-and-switch is practically inevitable.
(Or, of course, the company can simply stop contributing, either from going out-of-business, or pivoting, or being acquired, etc.)
If you're considering building long term on oss from a for-profit company you should count on having to pay in the future. You should believe you have a decent understanding of their business model so you have an idea of how much you might need to pay. Of course that's usually very difficult for VC-backed "spend now, pay later" companies, so you might be best off avoiding them for anything long-term or foundational unless you think you can bear to switch, possibly on short notice.
I generally agree with your point. Over the years of being responsible for technology stack choices, I've come to apply one rule of thumb on OSS projects: is the project a core competency of the company behind it or not. For example, Github might open source their language detection library or Shopify might open source some frontend development project. These are not core competencies of Github or Shopify. Their business is somewhere else.
However, if I start a business and open source my core competency, with or without VC money, I will have to turn a profit or die, which leads to such outcomes, from MinIO to Hashicorp.
I agree with all the points you make. Just adding a detail to the following bit:
> 1. MinIO is a business and they don't owe anything to anyone for free.
I don't think MinIO discontinuing the free docker image is really the problem here. Creating and distributing such images cost them practically nothing - either in infrastructure costs or in HR costs. If they find it that difficult, they only need to say it. Either the community or another company will gladly take it up for free. Even other cloud projects have alternative distributions like Bitnami builds.
The real issue is the pattern of behavior that this move exposes. They seem to have removed the web UI from the community edition claiming that it's hard to maintain (another thing the community would have gladly taken up if they were informed). They also stopped updating the community documentation. And these largely escaped attention until the docker build was discontinued. That itself is controversial since much effort wasn't spent in letting the users know that their current image was going to suffer bitrot indefinitely. Apparently there was also a CVE which was fixed in the source. They didn't consider it necessary to at least push the fixed container as a final measure.
All these are certainly hostile and unkind towards the community and it's bordering on dishonesty. They didn't lie. But neither did they do the bare minimum expected when taking such a drastic measure. It's clear that they're withdrawing their generosity for more profits after gaining a lot of mindshare with their earlier offering. I don't believe that the docker image alone would have inflamed the community so much.
I don't think this is really a big deal. Plenty of others already maintain public OCI images of Minio (Bitnami is one example). So long as that's the case, there are options. I'm not familiar with Minio's licensing terms, so maybe they can put an end to that practice if they want to, but I suspect there are drop-in replacements other than the official Minio Docker Hub image.
What Minio is doing wrong here is thinking too highly of themselves. Their product is a fine implementation of S3-compatible object storage. It has some features that make it attractive for selfhosting. It's far from the only solution, though. The harder they make it to use, the more people are going to switch to easier alternatives.
A lot of companies try to lock down their popular open source/free products once they have a large market share. It always backfires.
Hashicorp did this. There's no reason to use Terraform anymore; OpenTofu is a drop-in replacement that is just as good for almost everyone, and all the community support will shift to it such that it will inevitably be far superior to Terraform.
Redis became Valkey. MySQL became MariaDB. OwnCloud became Nextcloud.
There are countless examples. Yeah, the commercial entities continue to exist. For companies that need support and contracts, there will still be a market. But they are destroying their pipeline for new customers. Why would anyone use a closed commercial project with no community contribution when there's a free, open source option that's either a 100% compatible drop-in replacement or a low-effort pivot to a functionally-equivalent solution without vendor lock-in and burdensome restrictions?
Minio is shooting themselves in the foot. Most people don't give a crap what's backing their object storage, so long as it works.
> Plenty of others already maintain public OCI images of Minio (Bitnami is one example).
Looks like that's coming to an end too.
https://news.ycombinator.com/item?id=45048419
Yeah, I saw that recently. linuxserver.io bundles a lot of apps into OCI images, and I use many of theirs because they tend to be better-designed than official ones—or at least more consistent.
And while some people might be intimidated by it, it's not a huge lift to make your own images. I don't mean to trivialize it, because it's at best inconvenient, and can be challenging. In many cases it's only a few minutes of work to bundle something up. LLMs are great at this. For a Golang app like Minio, it's a piece of cake, since you don't have to install a zillion dependencies manually.
1 reply →
Looking at the change to the README last week[1], it looks like MinIO went from "MinIO has no planned or scheduled releases for this repository" and " While a new release may be cut at any time, there is no timeline for when a subsequent release may occur." to "The MinIO community edition is now distributed as source code only".
Based on promises alone, I think that means they un-dropped the open source project but still only distribute the binaries to their customers.
[1]: https://github.com/minio/minio/commit/9e49d5e7a648f00e26f224...
What makes me sad is that, as mentioned in other threads, this destruction in reputation could've totally been avoidable. If MinIO had took the time to give out warnings months in advance and help community members (or even other companies) to host the Docker builds somewhere else, there would've be close to none backlash. Yet they've decided to make it such an abrupt transition and especially when a CVE is involved.
It's absolutely stunning that people actually defend this behaviour!
The community is having an outrage - and rightfully so - about a silently discontinued artifact delivery at a very critical time. Which is their opinion and every human being is entitled to have their own opinion and state it openly.
It is also perfectly fine to expect a standardised behaviour to continue.
However, what is most important is that is perfectly fine to shame an open source product for pulling features and money grabbing people after years of gathering community and locking them in.
I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
You are a farmer, not a big fancy profitable one. Your tractor is from 1970 and works great, when it works. Your wife has health problems and can't really help out around the farm much - kids have gone off - so you just do things mostly by yourself. With your lucky dog Skip by your side. Even though times are tough and money ain't coming in like it used to - you still give free produce to the local schools and shelters. You've been doing it for over 20 years, and the community loves you for it.
But then your wife passes. Medical bills are too high. You can't give away free produce to the local schools anymore.
The community is outraged. They come to your farm with pitchforks. They set your barn and fields on fire.
This is kinda what this thread feels like lol.
> I don't think the people in this thread have any concept of how much $$$ it costs to distribute a free container that is going to be downloaded billions of times.
Not very much at all. It looks like they're hosting on Docker Hub which doesn't charge for bandwidth. I could create a pro account for $11/month and be able to serve an image billions of times. The compute to build an image is small enough that it can be done at whim on a dev machine.
But when you plug in the numbers: that the farmer raised $126 million, and hosting unlimited Docker Hub pulls costs $11/month, it doesn't quite feel the same.
It's absolutely not what is happening.
It's more like the farmer was giving leftovers for free to schools and it was so good that it made him famous. People from all over the country came in, including businessmen who told the farmer he is missing out and should be charging more for his food. He started a restaurant chain but, the businessmen went further and said that a quality product cannot be given away for free and made him stop supporting schools and shelters which got him rich and famous in the first place. Even tho, he was just handing over leftovers (it cost around USD 100 to host a docker image - yearly)
Think EA, Microsoft and Xbox, Broadcom and bitnami.
I don't understand the point. The entire raison d'être of this project is that you self-host it and don't pay money for S3 and control your supply chain.
If you are denied this possibility — it is much easier just to use S3.
Denied as in „use their supplied Dockerfile and type 'docker build'"?
I haven't used minio in years, and when I did I only fiddled around with it, but my recollection of it is that it's about the simplest build chain imaginable. Install modern golang, build minio, get single binary.
Anyone relying on an opensource tool like minio, needs to look at:
Once you've looked at that you can decide "is this an anchor I want to handcuff myself to and hope the anchor won't jump into the icy blue deep taking me and my dreams with it?"
If the org behind it ever decides to rugpull/elastic you, what're you gonna do? At least with something like minio, if they're still distributing the source it's trivial to build (and if you can't build it you should evaluate if you're in a position to rely on it).
Let's look at other cool open source things like SigNoz which distribute only docker artifacts (as far as I remember, anyhow) -- if they were to rugpull that people relying on it would be totally lost at sea.
This isn't to say that this isn't poor behavior on minio's part, but I feel like they've been signaling us for a while that they're looking to repay their VC patrons.
They have also removed the web UI and stopped updating the documentation for the community edition. The former is not extremely serious as the community can easily replace it. The latter is arguably the worst among all the changes that we know of. While they do redirect community documentation towards its enterprise counterpart, it's becoming clear that the differences in the community edition won't be addressed at all. That will make MinIO community edition less viable over time.
Overall, it's pretty clear that they don't view the OSS users kindly or want them around. I'm pretty sure that they would drop the entire community edition if they could do so legally and without much fuzz. You can expect more like this in the future. So this story shouldn't be seen simply as the loss of a docker image.
Right -- I think it's quite clear that if you're relying on the free minio you need to look elsewhere or peer up with some others and fork it.
And any adoption of a critical piece of software needs to have a risk calculus associated with it of "what if they get bought by CA, invaded by Russia and murdered, murder their wife and go to jail, or dedicate their remaining time on earth to writing haiku?"
Both open source software and commercially supported software have risks and mitigations. I'd argue that you're actually safer with open source software since you can pick up and keep running it, but that's not a trivial undertaking.
1 reply →
> If the org behind it ever decides to rugpull/elastic you
I love it that you use "elastic" as a verb here.
I am also so confused as to what MinIO is now. All I see on the website is AIStor - have they dropped the "S3 Alternative" Marketing and went full AI?
If you want VC funding, your marketing pages need to go all-in on AI. Even if your product has nothing to do with it.
Unfortunately yes. I have been looking at one of the well-known VPN infrastructure providers and they use "AI" on their website a bazillion times. Insane.
Yikes
Time to switch to Garage for dev environments and reconsider minio for prod. This is not how to do open source.
Ceph is an open source project run by a foundation. Minio is a company backed by VCs looking for a return. There is also seaweedfs, powerscale, openstack swift and hyperstore. The S3 compatible space is crowded.
Also there is garage, which I found easy to setup: https://garagehq.deuxfleurs.fr/
Curious about one thing - does Ceph's s3 compatible api support oidc based auth? We used to use this with minio before switching to aws s3 and using presigned URLs.
https://docs.min.io/enterprise/aistor-object-store/administr...
As a user of Ceph it does feel like a truly open source project. Redhat/IBM do sponsor a lot of work on the project but there are lots of other contributors. I have contributed maybe a dozen changes myself and it was quite easy to do and the maintainers are fairly responsive.
Ceph is absolutely lovely and rock solid. Can't recommend it enough.
https://github.com/coollabsio/minio
I was reading the github discussion and found out that coollabs has taken on the decision to make docker images for these.
https://github.com/coollabsio/minio
https://github.com/minio/minio/issues/21647#issuecomment-342...
>Until we (the community) figure out something, I made an automated docker image version here: https://github.com/coollabsio/minio
The latest release is already available on ghcr and on dockerhub for amd and arm.
Well they have locked the discussion right now it seems but hope the community does something since my brother once asked for how to store audio and I thought that something like S3 could be perfect for it and wanted him to use minio or check it out.
Idk what I will recommend now? Garage? Seaweedfs?
Wow, ~75 lines of Dockerfile and ~300 lines of github actions, hosted on a FREE platform.
Seriously, what is the rage here, anyone could do this.
I hope you have read the github issue page
This was the first person after so so many comments to actually do something about it, and he's from coolify which can be decently trusted with.
Everybody likes to rant and the dislikes on github issues show but I just respect the guy for even taking his time to write this.
Sure you can try to reduce it to LOC or anyone can do this, but did you?
Also there is a trust factor, I can trust coolify's docker image as compared to any other people.
Anyone including MinIO. So why did they stop doing it when it was so easy?
Especially because they haven't provided any reasoning for this decision, so everyone assumes the worst. I can't really think of any reason for this that puts them in a positive light either, can you?
I wonder how many people only use Minio as a localdev S3 alternative.
At least that's all we use it for really
I have a 160TB minio cluster running for 4+ years who had dealt beautifully with node outages, one drive failure and the occassional hiccups on the datacenter.
I was okay with not having support because I am not part of their customer base. I was okay with not having the webUI, though I wish they made an option where the webUI would be available for some basic-tier paid customers. But I can not be okay with this move. They are just giving the finger to all the community. They never tried to work out a solution that could let smaller users to contribute or support.
I will seriously have to consider moving to Hetzner object storage.
What is the problem exactly you are facing now?
1 reply →
Every time I used it for more than that I ran into performance and other concerns (like durability and consistency) pretty quickly. I cannot imagine how this is used seriously when there is something like Ceph available.
Turns out most file systems are horrible key-value stores.
>I cannot imagine how this is used seriously when there is something like Ceph available.
Adopting Ceph is adopting a Ceph engineer, any use-case with the need and funding to run Ceph on production would easily be able to pay for commercial licenses and/or contribute majorly to this or their own fork. They work in different ball-parks entirely
Yeah CI tests and local dev environments for code that runs against S3 in prod. Right now sifting through the alternatives for whatever is easiest to run as a container in Github actions or docker-compose...
I use it to test my tiny written-from-scratch S3 client in my server app. But then I already have it installed, it already works, and I don't care about updates.
That's how I use it. It seems to also provide a lot of other stuff I don't use.
Hey Mike Donovan here. I work at Docker and help with the Docker Official Image (DOI) program. If you're interested in a DOI being created to support the MinIO community chime in here: https://github.com/minio/minio/discussions/21655
I'm glad to have migrated to garage in time. This is quite unfortunate though as a lot of open source projects, like plane.so, used minio via container images for s3 with docker compose.
What did you lose exactly, I don't get it.
Minions has taken away the admin UI for everything except a bucket browser in one of the last releases.
And now they have stopped publishing updates to their community edition docker images. As the linked GitHub issue points out this now means at least one vulnerability will be unpatched (unless you install from source or switch the image) for anyone relying on updates to the original container image.
My loss exactly was that minio lost most of its appeal when it stopped having an integrated management console. It also seemed they were moving into a direction where features were gonna be more separated off for their aistore products over the community edition (a fair move but not something I want to happen to my deployment).
thoughts on https://github.com/coollabsio/minio ?
I feel like this could be used till the time plane.so or other projects feel like they could migrate to garage or maybe just use these coollabsio minio docker image?
My problem was mostly that MinIO was not significantly better for my use-case then garage after the admin console was yanked. Thank you for the pointer though, I will take a look at this for my plane.so instance (using a private containerized minio there still).
While not notifying of the change earlier is annoying, I also don't see anywhere stated that they're obligated to provide services in addition to just providing me the source. Moreover the build-instructions don't seem complicated at all, anyone already extracting value from this should be capable of pulling the source and keep on running with it.
`docker build` is free, and faster to type than the fake outrage in the github issues and the dicator-calling below in this thread.
With docker build comes a whole slew of dependencies that you wouldn't have with official images. You need some place to host the image, or build on the servers you use for deployment, and cross platform compilation (i.e. ARM images) becomes an issue.
It'll take more time than just typing out a comment on HN to get all of that in play. Actually getting a docker registry of your own set up with auth and everything can easily take half an hour, and adding+testing periodic sync and compile steps in your CI/CD will take another couple of hours if you're not set up for it.
Hardly the end of the world, though. Reminds me of the infamous "why can't people on github just give me the .exe" reddit troll post.
So, basically, MinIO is dead.
Time to move on, folks. Dead horse is dead. Kicking it will release toxic decomposition sludge.
Fun, I had just started using it as a the data store for a distributed Rust compilation cache, guess we're moving that somewhere else. Hopefully the choice of NixOS as our server OS will make this easier rather than harder.
What alternatives do people recommend that has at least similar features-set and at least similar performance as MinIO?
I made a comment above about some, https://news.ycombinator.com/item?id=45684035#45684826
Ceph is what I think but there are lot of alternatives.
Garage works, has good NixOS support too.
I built my first Slackware box from source.
How times changed.
Sad to break it to you but it was 30 years ago.
We have a tendency to stick to what we know but everything changes constantly and us being connected amplifies that.
7 replies →
Anyone tried rustfs? https://github.com/rustfs/rustfs
It's still free and available, you just need to run the docker build command yourself or pay them to get their enterprise version.
Well, you can build some parts of it, but the builds aren't the only thing they're removing. Reading some of the Github issues, eg. https://github.com/minio/object-browser/issues/3546:
> We initially explored a basic admin UI for the community branch but haven't actively maintained it. Building and supporting separate graphical consoles for the community and commercial branches is substantial. Honestly, it is hard to duplicate this work for the community branch. A whole team is involved in console development, including design, UX, front-end, back-end, and pen testing. This commit introduces an enhanced object browser but removes the unmaintained admin UI code.
They deleted the admin UI from the current version of the open-source side. It's time to pay the VCs, the project is being rug-pulled and they're going all in on the enterprise version.
? Just build it yourself?
We moved to Seaweedfs around one year ago and I couldn't be happier. It also fixed all of the performance problems we had on MinIO.
I thought one day in the hn TOP-5 was more than enough for MinIO.
I'm even starting to wonder, should we also drop Docker builds to get the same amount of PR for our open-source project.
Well some say 'all publicity is good publicity', I think in this case it has hurt MinIO more than anything as far as public adoption is concerned.
I believe it's too early to judge public adoption. Let's see in a few years if it degrades somehow. For now, they jumped from 55,880 to 56,319 GitHub stars in one day.
From the product side, I don't see how this should affect new adopters who didn't read the hn post yesterday
17 replies →
Lots of people in this thread keep repeating the idea that, "Nobody owes anybody anything".
Sure, just like nobody owes minio goodwill or business. People sour on these kinds of things because they feel sneaky and backhanded. It tells you something about the kind of people you're working with.
Imagine if a food kitchen suddenly started charging for the food, without notice. Or they started charging to use changing rooms in clothing stores. Etc, etc. You'd, rightly, expect a negative reaction, even if the "food kitchen doesn't owe anybody anything".
The biggest misstep in these situations is the corporations avoiding being honest and communicative about why the changes are suddenly necessary. We all know, intuitively, that in most cases its because it's not for a good reason. It's because they are greedy or otherwise feel pressured to show infinite growth.
I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.
What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.
> Leaving a known unsafe version as the last release is irresponsible.
I think they should have done a better job of announcing this ahead of time (or at all, really); but there's realistically never going to be a CVE-free release to stop on, because the next CVE is just around the corner.
I'm not sure why I got downvoted here. Minio's behavior here is shitty - but in a day or a month after the last image is released, there /will/ be a CVE that affects that image. By GPs statement, when are they then able to stop releasing?
1 reply →
Maintaining docker builds isn’t that huge of a burden (and likely very useful for them too), and they’re delegating hosting to a third party… I don’t get what they’re trying to achieve here.
They're trying to force some free users to pay them for binary builds.
Are they?
I even checked the pricing page, and there is no mention of any builds as paid features.
7 replies →
Money
this. They want to show more paid subscribers to VCs and enabling open source is eating their lunch
What are folks doing who were just using it for CI/test/dev environments? Just build the image yourself? Use Garage as some have suggested? I'm curious what people see as the pros and cons.
On one hand, MinIO isn't obligated to anyone... on the other hand, there's a lot of people who now feel obligated to not use MinIO anymore. Given that MinIO won't patch their container images, are obligated in many cases. A Dockerfile that actually builds instead of copying binary blobs should be as simple as one that executes `go build`. So a fork that just adds that one step seems inevitable. Seems such a waste on many levels.
Why? The maintainer in the link chooses to be a dick and refuses to explain literally any of the weird decisions they've been making. That would at least help people understand?
Just use Garage. https://git.deuxfleurs.fr/Deuxfleurs/garage
This reminds me about the bitnami containers. They pulled the docker images so everyone migrated away because they fear they will also pull the artifacts building the project. They never said that. They seem to be continuing to updating the projects and providing access to the artifacts. It is very easy to build the dockers... it is just a dockerfile really... There is really no upside to stop updating the projects, it is free marketing...
Shame. Textbook OSS rug pull. These people love to rely on OSS, and claim how committed they are to contribute to the ecosystem and to their community, but as soon as people are drawn to the project, start relying on it and using it in the same spirit of OSS that they enjoy themselves (which their chosen license allows, mind you), then it becomes a financial burden, priorities shift to their commercial offering, there's no "bandwidth" to maintain and support the "community" edition, and so on.
STOP ABUSING OSS AS A MARKETING GIMMICK.
Or perhaps an advice to people who might actually listen: stop being attracted to open source projects because of the word "open", and because you can use it gratis. There are plenty of good proprietary and commercial software whose authors treat their users with more respect than these leeches of good will and abusers of trust.
I'm not against OSS being commercialized. In fact, I think that it's crucial for maintaining a healthy project in the long-term[1][2]. But this lingers on the developer having respect and equal regard for all their users, regardless of how much they're paying them. Yes, nobody working on software should be expected to work for free. But there is a philosophy behind this movement that goes beyond a financial transaction. It only works if everyone in the ecosystem is honest, and first and foremost has the intention of making the world a better place for everyone, by not only depending on others who have this mindset, but by adopting it themselves. Claiming to be part of the OSS community, but being hostile to your OSS users is dishonest at best, and worthy of all criticism.
[1]: https://news.ycombinator.com/item?id=45537750
>It only works if everyone in the ecosystem is honest
In general, applying this to anything with the general public, I don't expect it to work. This is why we have laws, licenses and rules in the first place. You can preach all you want but it won't change humanity, you need something concrete, something written and agreed, like a license.
Not all licenses protect the freedoms and rights you're used to in other licenses, and it needs to be taken into account when adopting any project. License terms that don't guarantee any sort of support or updates when you need them aren't in consideration at that point.
If you don't trust people, then OSS is not for you.
You can't claim to provide software as a public good, while also gatekeeping it only for specific groups of people. If you want to do that, then choose a restrictive license, with the exact terms of use you're comfortable with, and don't work in the open to begin with. That is a valid strategy if your main priority is getting paid.
My objection is towards people who use OSS licenses, but then take issue when others actually use the freedoms they've granted, and proceed to enshittify the project by removing features, putting them up behind a paywall, and in general being hostile and ignoring the user base they've gained in large part thanks to OSS. This is using OSS as a marketing tactic, which undermines the whole point of open source and the free software movement.
Isn't your diatribe contradictory. Your last paragraph appears to contradict your 'beliefs'.
This is interesting. I've recently been doing quite a bit of research into what my "future stack" is going to be for backend. MinIO regularly came onto my radar but one heuristic (among many) I use to determine which software is TRULY open source and which is far less likely to remain open source is whether they even provide a link to their Github page and prominently display it on their website. MinIO was triggering my "not really open source" radar for this reason.
I'm still dabbling but have kind of latched onto the idea of using Ceph. To my understanding they were acquired by RedHat, and the project has all the signs of real open source, including the fact that it originated as a doctoral research project at the University of California, Santa Cruz, with initial funding from the U.S. Department of Energy.
Full disclosure: I work for Cloudian.
While I understand the frustration with MinIO’s approach here, I want to be upfront about what Cloudian HyperStore is and isn’t - it is designed for multi-node, multi-site deployments (think 3+ nodes minimum) and performs best on bare metal or dedicated infrastructure rather than containerized environments.
It’s a very mature S3 and offers IAM, SQS and STS endpoints as well.
If you’re running MinIO at scale in production and looking at migration options, I’m happy to connect you with our team who can discuss whether HyperStore makes sense for your use case. That said, for single-node dev environments or lightweight deployments that many here are using MinIO for, the community alternatives mentioned in this thread are probably better fits. Different tools for different scales. Happy to answer any technical questions about HyperStore’s architecture if helpful.
What is Cloudian? You guys didn't develop Minio did you? (Google says Minio Inc?) If you did it's hard to tell.
No, Cloudian did not develop MinIO - completely separate companies. MinIO was developed by MinIO Inc. Cloudian makes HyperStore, which is our own S3-compatible object storage solution. We’re a competitor to MinIO, not affiliated with them in any way.
1 reply →
#ad
It is unfortunate, but somewhere you need to draw the line, if you are planning to stop releases. If they fix this, how about the next? Why fix this one but not the next CVE? Is the reaction same next time and they end up fixing endlessly?
IMO they should've waited at least a month after updating their README. The timeline is rather short.
It'll be hard to convince people to buy their commercial offering after pulling something like this.
On the other hand, they did the work for free, so it's up to them to decide when to stop doing that. Plus, anyone can fork the repo and maintain their own version with fixes and docker images and everything.
this sucks because now im forced to make seaweedfs and ceph work haha
seriously, minio sucks perf wise but they really did a good job making it easy to deploy with docker
Just make a fork and release built images via github actions with ghcr. Then ask people to switch to it.
The great thing about open src is the ability to walk away. removed features in new release? fork and put it back. quit complaining and be the change the world needs you to be
https://github.com/coollabsio/minio
Can't emphasize on it enough but I trust the coolify team enough. Lets all jump to this ig
There are people who are being the change they want to see, thanks coolify team.
back in the day, I had an automated Github action that would pull and build a polyfill.io image every time there was a tagged release
You don't even need to fork the project, you can just extend / distribute
Getting it from source is as easy as `go install github.com/minio/minio@latest` if you have a recent Go.
In addition your favorite Linux distribution probably has it as from-source builds already.
For a container image you could try making one from Alpine or Wolfi.
MinIO was already before tricky because their interpretation of the AGPL is way to broad.
I like the GPL it has given us a lot.
I am guessing here but I do understand why they want people to open source the management code of minio and in some cases how it is integrated into a product. I understand that AGPL might not be written for these requirements but I think it is time for a new such license.
If it is part of a SaaS product that is sold I can definitely understand why this is important.
Do you have a link? I want to read more about that. Did they interpret any use as deriving from minio?
They changed their public guidance at this point, but you can still find references to their approach to AGPL quoted here: https://news.ycombinator.com/item?id=35328316
> "When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
6 replies →
It seems like they've pivoted from being a FOSS alternative to AWS S3 to whatever AIStore[1] is.
[1]: https://www.min.io/product/aistor
Quite a downward spiral for them. Wow. I mean I get the yearning for turning a profit, but this is yikes. This is the type of thing that guarantees most people using your open source / free variant never return.
I regret recommending using at in our team.
This move can’t be anything else other than malicious.
Item 15 of the license states:
They have no obligations to provide documentation, binaries or anything beyond the source code.
I personally think this is a better option than migrating from an open source license to a source available and I would like more project adopt this approach from the beginning of their projects, to set people's expectation right.
Which would be very relevant if anyone were trying to sue them for this - which no one is.
The license establishes the limits of legal requirements and responsibilities. It doesn't shield you from criticisms and people being annoyed with you.
It's sad to see a company that built itself using (and yes I purposely choose the word using) the community abandon the community in pursuit of maximal profit.
I think Minio is the only Go client for S3 API and S3-compatible APIs. I cannot say I liked using it, but I had no choice. Nowadays I run my own file storage with my own API, so I no longer care.
But if anyone wants to run their own file storage(so not a client), there is https://github.com/seaweedfs/seaweedfs
I've used the minio-go client library for about a year now. I don't see anything in the minio-go README or elsewhere to make me think it will no longer be supported. In fact, the most recently merged PR was yesterday. There are some other Go S3 clients, like https://github.com/kelindar/s3, but I don't know if any other Go S3 clients have the complete set of features that minio-go has.
Surely there's github.com/aws/aws-sdk-go-v2 ?
Just run `docker build` yourself. Why does this non-issue spawn dozens of comments? This isn't some impossible-to-build Windows C++ project.
Recently adopted the Go MinIO SDK to abstract cloud-specific APIs. Really hoping the SDKs don't get a licensing change or yanked next
there's still gocloud.dev/blob ...
Incidentally there is a open source S3 project in rust that I have been following. About a year ago, I applied Garage images to replace some minio instances used in CI pipelines - lighter weight and faster to come up.
https://github.com/deuxfleurs-org/garage
minio is guilty of a lot worse sins than pulling a docker image -- hate them for those, not because it's more inconvenient to run.
https://garagehq.deuxfleurs.fr/
Surprised by the entitlement of some people. This was FREE labor they were providing, it was never going to last forever.
They created their business on open source. Free software was their top of funnel. Free customers become paid customers, and fund the business. They are more than welcome to change this, but there is no way they don't end up with egg on their face, and that's what we're seeing here.
Render also pushes MinIO as their recommended equivalent to S3 for their customers (using docker), similar to Bucketeer on Heroku.
https://render.com/docs/deploy-minio
Hopefully this will finally push Render to build their own S3 wrapper.
(Render CEO) We're prioritizing Object Storage independent of this move.
I hadn't seen the news about MinIO yet.
For others that are surprised by this, it seems that there is a fork of the UI called OpenMaxIO
https://github.com/OpenMaxIO/openmaxio-object-browser
I was not familiar with MinIO until this post and I see now 694+ upvotes!
Can anyone give me some background on why MinIO is/was so used? So many people want to self-host S3 compatible software? Just asking, very curious about the whole thing!
Am I getting this right - someone has been providing things for free for a long time and now people are complaining that they are relying on getting things for free and the "someone" cannot just change this?
Shameless plug: try Minimus! Minimalistic and always updated container images. We have the MinIO image and it is always up to date. https://www.minimus.io/
garage and for the minio gateway (RIP) i use versitygw
Have been looking for minio alternative for long already. Found versitygw lately and would like to share the joy. It feels very promising. Fits to many small or lab use cases.
It does not actually solve the trickiness of managing large storage but relies on the backend (that is usually fs like zfs in small setups).
However, seems to be quite new project plus the risk, that the owning company takes it to bad direction, is there too.
https://github.com/versity/versitygw/
Any recommendations for a simple S3 implementation for a local docker-compose development setup for mocking S3? Ideally with a nice UI to check/manipulate files.
Garage for s3 emulation is a great tool. https://garagehq.deuxfleurs.fr/
A developer not offering builds themself is a common thing in package managers, like apt or pacman. I don't get why it should be any different for Docker images.
I've been testing the RustFS product for over a month now. While there are some minor bugs, Rust is very stable.
Why didn't YC invest in such a great product?
I've switched to garage and it's been absolutely fantastic. I don't know if it has a UI yet, but it's been rock solid.
/me waiting for all complaining about lack of docker image to step up and start providing those images ]:->
At this stage I’d be hesistant to build anything on top of minio
In May, they pretty much said they will not maintain the "community version" anymore.
Exact quote: "it will remain as is, and will only receive security fixes if any”
https://jamesoclaire.com/2025/05/27/how-to-self-host-your-ow...
They've also tried to claim AGPLv3 will infect any networked client code too: "Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations. The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO." -- they've since removed that, utterly unsupported, argument, but the lesson to take home is they're really trying to prevent any non-paid use.
It really is time to stop using Minio.
To everyone who gets blocked by this: I prompted Haiku 4.5, Anthropic's cheapest current model, in Claude Code with "Read this github issue: https://github.com/minio/minio/issues/21647 I need a new docker image for the latest minio version. Make it so.". It wrote a Dockerfile, I asked it to build it (not only am I incapable of finding and downloading the Dockerfile from the repository myself, I'm even incapable of remembering how to "build" a "docker"file). It spew out an error which the cheapest model promptly fixed and gave me an image.
You need to be able to do this personally or you should not be running a durable storage cluster in-house. Just pay AWS. You need to add more value to your employer than you cost, and if Anthropic's cheapest model can beat you at such a task then it's not a good look.
> you should not be running a durable storage cluster in-house
If you’re running Minio, odds are you have interesting use cases that are not filled by S3. I wouldn’t make such blanket statements.
I don’t think anyone is surprised that an LLM can help you here either.
I'm trying to be charitable here, but you're being incredibly obtuse in your response. The issue here is very much not that someone has to build a Docker image. There's already a Dockerfile in the repo that works to build it, you didn't even need some LLM to do that for you. That's not the issue. The issue is that their existing Docker image has billions of downloads and they simply stopped publishing updates unilaterally with no material attempt to communicate this to their users when the current image is affected by a critical CVE that will now never be fixed.
If you don't understand the difference between these two issues, I would suggest it is /you/ that lacks the ability to add sufficient value to your employer (as if that's even a standard we should care about We are people, not merely cogs in some VC's wet dream).
The LLM stuff aside, how is minio supposed to communicate with the people who pulled their docker image?
The time line is rather short (the README announcing source only releases got updated a week and half ago) but it's not like Docker will let you email everyone and say "you're using one of our products, read this post about our new distribution model", probably for good reason. I can only imagine the "vulnerability" warnings flooding the world if every pulled container opened an avenue for emails.
I wouldn't buy their weird AI product off them after they behave like this, but this is software they've been maintaining and giving away for free, for years. Unless you have a contract with them where they promised maintenance, I don't see why this is on them, really.
The company can go bankrupt tomorrow and you won't even be able to pay them to update their images. Maintaining your dependencies is your responsibility, especially if you're not paying them a dime.
1 reply →
Open source is sick. Everyone wants it (both to maintain a successful project, and to use them) until you maintain a popular project for a reasonable time then your realise you're getting used for fuck all value.
We need a healthy way to support open source developers. This isn't working. Companies are taking advantage, and individuals are overwhelmed with choice and have delusional expectations.
It would be cool if The Linux Foundation had a fund to support open-source devs with stuff, like a stipend or hosting costs, kind of like what exists in the hospitality space. I know that this sort-of exists, but it feels distributed amongst a few big companies and is entirely at the whims of their quarterly performance.
No need to get mad or upset about this at all, MinIO is telling us exactly who they are:
They want to be a commercial software vendor, and they don't like open source.
As long as they aren't advertising their product as open source, I don't see an issue.
Is there a fork already?
Do we need a fork? As an example, ffmpeg is source only for mac and windows, which just means someone else is building and distributing binaries.
They changed their license to AGPL, removed features (Web UI, etc.) and now they don't provide docker images/binaries. It's their project but; what's next?
3 replies →
What for? The code hasn't changed, it's AGPL-3.0. They just don't release their own binaries or docker images anymore.
There is perhaps a need for a fork because of their recent removal of features (unrelated to today's post): https://github.com/minio/minio/issues/21584
Demanding people do free work for you, like starting a fork on your expedited schedule is quite juvenile.
Forks take time and effort from humans to maintain.
Where did you see a demand? The comment you're replying to merely asked if there is a fork.
2 replies →
not sure that word means what you think it means
Just build your damn image if you need it.
They don’t owe you anything.
I used MinIO for local dev. I can use S3 or R2 in some cases instead. Kinda crazy to find out that people use these Docker images in production. Why on earth would you do that?
Reasonable.
That seems to be the key word.
One camp argues: Expect nothing. Move on.
The other: Could they - with very little effort (reasonable) - have choosen a more palatable route.
There must be a middle ground between the nihilists and the pampered.
I built my own S3-less Minio alternative few weeks ago, should I open source it?
It's built using Rust and React Router.
Just playing around with it
More projects should do this.
Since the whole docker thing where people were complaining about having to pay 10USD, I am happy when OSS projects pull the rug, tech bros you're paid to solve your company's issues, nobody in OSS owes you anything, go earn your salary and build the docker image that fix the CVE, or stfu
We all know you don't care about loyalty correctness or anything, you just someone to do the work you're paid for
Spot on. The number of people who are seemingly completely lost without a free DockerHub build is terrifying. Maybe it explains why software quality has degraded so much over the last several years.
are you saying there's a bunch of human centipedes bopping around here who are both the people who would do the minio rug pull as the ones who complain about not getting free services?
2 replies →
It's ok, just don't use them anymore if you don't like it. I will switch to something else.
> We’ve started distributing our software for free
> nice
> We’ve stopped distributing our software for free
> How dare you!
That is not the problem here.
You're right. This is like they've stopped offering free gift wrapping. You can take it home in the plain package for free if you want.
4 replies →
what a terrible turn ... screw 'em
so what're you folks moving to? spinning up a local minio instance was what I always sprung for when doing local testing of s3 things...
Edit: 9.4k stars. Looks compelling. https://github.com/rustfs/rustfs
We'll just build our own docker image, it's not a huge task
Imagine having to build LibreOffice from source to get it installed
e.g. on Windows
Not bad as long the scripts as there.
This is a clear Rugpull and Enshittification, no matter what perspective you have.
Once again people will find out that no software should be free.
What did MinIO say to Wordpress? "hold my beer"
Still don't get why on earth anybody would run a Docker version of MinIO in production. And why is this even a problem. Not like you put a private storage service on the Internet? Or do you? The incompetence of the average HN user is just mind blowing.
[dead]
[dead]
[dead]
[flagged]
Could you elaborate please?
Why is DHH being mentioned?
Nothing to do with MinIO and their docker builds...
Take your pitchforks and your internet hate-mob somewhere else, please.
lmao
they dont learn anything after redis case are they????
I never understood Minio. Why not just use S3? Why not just use Ceph?
If you need just the interface for dev environment, I am sure Claude can cobble it together in 1 day.
This seems like a maneuver of a dying company.