Comment by Tepix
4 months ago
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
"That expectation does not entitle anybody to anything though."
This is true legally, but not otherwise (socially, practically)
"That is their decision. Without any contract or promise, there is no obligation to anybody."
Again, true legally, but IMHO a really silly position to take overall.
Imagine I provide free electricity to everyone in my town. I encourage everyone to use it. I do it all for free. I'm very careful to ensure the legal framework means i have no obligation, and everyone knows i have no obligations to them legally. They all take me up on it. All the other providers wither and die as a result. 15 years later, i decide to shut it all down on a whim because i want to move on to other things. The lights go out for the town everywhere.
Saying "i have no legal obligations" is true, but expecting people to not be pissed off, complain, and expect me to not do this is at best, naive.
Calling them entitled is even funnier. It's sort of irrelevant if they are entitled or not, after i put them in this position.
Legal obligation is not the only form of obligation, and not even the interesting ones most of the time.
More importantly - society has never survived on legal obligation alone.
I do not think you would enjoy living in a world where legal obligation is the only thing that mattered.
41 replies →
Have you not seen some of the replies at the link?
For example:
"You are joking ?!
The commit about source only is 4 days old (9e49d5e)
We are currently paying for a license while using the open source version, you already removed the oidc code from UI console and now docker images. We are not happy by this lock-in. We will discuss this internally, but you may loose a paying customer with this behavior."
5 replies →
I think if you analyzed your day to day life you'd be surprised with how many reliances you have on norms and social contracts. I personally don't want to live in a world that depends on an explicit legal basis for every single thing, and I doubt you want to either.
The GP didn't say it entitled them to anything, but that it created a sense of entitlement. You are correct there's no contractual obligation to do so, but it was likely a part of the decision to go with their solution, i.e. "they make it easy to deploy!". It is a very logical conclusion to say "they just made it HARDER THAN BEFORE to deploy".
Promises are not always explicit written permission; that's why I got in trouble for re-broadcasting major-league baseball with only implicit verbal permission (thanks, Simpsons!)
> That is their decision. Without any contract or promise, there is no obligation to anybody.
Even as a paying customer on a $1m/yr contract, still using the open source distribution because AIStor is not something we are keen on, we were not informed whatsoever.
They were well aware we were still using those container images, and we were by far the only paying customers doing the same.
This is malicious.
> > When you always published and built Docker images for the public you are creating an expectation
> That expectation does not entitle anybody to anything though.
Note that implied contracts do exist, and sometimes expectations based on prior conduct do suffice to form an enforcable contract. In this case, I don't know whether you can reasonably make that argument, but that's never stopped enterprising lawyers before.
https://en.wikipedia.org/wiki/Implied-in-fact_contract
“I’m not legally required to be nice” has become a classic and very common HN/Reddit argument. While true, it’s kind of beside the point. People often go beyond what they are legally obligated to do, and other people often expect others to go beyond what we are legally obligated to do. This is about nice vs. not-nice instead of legal vs. illegal.
Calling out shitty behavior doesn’t mean you felt “entitled” to anything.
Not all shitty behavior is governed by contracts and licenses. You can be an asshole without violating the terms of a license.
> Without any contract or promise, there is no obligation to anybody.
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with. There was no contract or promise. The fact you're paying for their service doesn't buy you these rights either. Those are just the terms of service both parties have agreed to.
Similarly, open source software is much more than a license. There is a basic social contract of not being an asshole to users of your product, which is an unwritten rule not just in software and industry in general, but in society as a whole. The free software movement is an extension of this mindset, and focuses on building software for the benefit of everyone, not just those who happen to pay for it, or those who meet your specific criteria. Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it. And your point is that that people who complain about this are entitled? Give me a break.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.[1]
[1]: https://news.ycombinator.com/item?id=45666757
21 replies →
You're correct and the project isn't entitled to any good will or usage from the community either. So they get what they get, just like the community. Or you know, everyone can just give a shit about each other even if it's a bit more effort.
[dead]
You seem more entitled to your opinion than others.
> That is their decision. Without any contract or promise, there is no obligation to anybody.
Not everything is legally enforced. Open source is a social phenomenon. Why are you so surprised that these social rules are being enforced socially?
There are obligations... it's how society functions.
> I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
I really don't get this entitlement. You expect that nobody should follow any social contracts and I'm sure are always surprised when people call you out for being asocial.
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
</rant>
> I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free.
Does it make you less frustrated to remember that humans are pattern recognition machines and our existence is essentially recognising and adapting to patterns, and so when someone does something repeatedly - regardless of if they're doing it for free - humans will recognise a pattern and adapt to it.
This is an inevitable consequence of coexisting with humans: if someone does something repeatedly, it creates an expectation. This is how learning works. If someone stops doing something, people are going to mention the consequences of their expectation not being met. Framing that as entitlement doesn't seem productive, especially in situations like this where it looks like the change wasn't properly communicated.
I don't think there can be a world where humans are able to learn/adapt/be efficient whilst not having expectations.
I believe there could be a world where people don't get pejoratively labelled as entitled for expressing the inconvenience caused by having functionality removed.
18 replies →
> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.
If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.
Is it malicious? I don't know. I prefer to believe in Hanlon's razor. Is it irresponsible? 100% yes.
3 replies →
> Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company
so its a communications issue? if minio or whoever explains this, OK. that's not what happened, so it's not what happened.
If it were for a feature request, it would feel more justified. People feeling entitled to making feature requests is one thing. Like they can get fucked. Contribute code or pay me. But if I let something loose out into the world that suddenly started causing problems because someone discovered you could stab people with it, I'd be going around making sure all of the copies I gave out it had a knife guard put in place.
1 reply →
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
To me, there are two aspects:
- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)
- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
8 replies →
I don’t know much about the MinIO project specifically, but to me it seems to be a common misconception that just because a maintainer provides their software project under a permissive license (such as AGPL, MIT, etc.) would necessarily imply that they do this for particular ethical reasons, like caring about “the community” (whoever that is) or contributing something for the greater good.
In the end, it’s just software made available under specific terms. While I understand the inconvenience for users if things change, it feels like part of the disappointment might stem from one-sided expectations.
Compare to bitnami: https://github.com/bitnami/charts/issues/35164
Recently switched from bitnami to minio here, with plenty heads up & they scheduled brown outs etc, along with legacy images to fallback on for users who don't get informed by anything until image gone
This is also becoming a trend with open source projects turning into source available projects with obscure and hidden ways to deploy them to prevent average users from running the software in their homelabs etc.
> you are creating an expectation
thats entitlement but seen from the other side.
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
This only inconveniences open source freeloaders. Maybe you can volunteer some time to build Docker images?
Rant about the concept of open source freeloaders: there's no such thing as open source freeloaders. If the license explicitly gives you the right to use the stuff for free, there's nothing wrong in using this right. While it would be the right thing to give money / otherwise support the projects you rely on, it's on the software developers who decide to give these rights (I also think it's the right thing to do though) to figure out the business model.
There's also nothing wrong in being upset about something you relied on disappearing overnight. If someone decides to provide something for free, they should give time for people to stop relying on this free stuff if they can.
However, I also believe you should own it if you decide to ever rely on prebuilt Docker images. More specifically, if you are relying on prebuilt Docker images, you are letting someone else decide on a part of your infra. And yes, this someone else can decide to stop providing this part of your infra overnight. This is on you.
I also don't find anything wrong in deciding to not provide binaries for your open source project, or to stop providing binaries, including docker images.
4 replies →
Fork and build your own. Isn't that the whole open source ethos? Why it was invented and how it is intended to operate.
1 reply →
https://github.com/coollabsio/minio
Coolify is already doing it but your comment is on the verge of being passive agressive. I wouldn't say these are open source freeloaders because they could be using things like watchtowers etc. which automatically update and it could be a very huge deal for automated updates especially after I saw that some recent CVE of minio happened.
Simply put this just hurts the security of people running minio, I wouldn't say its freeloading, its actively harming the community. There are people in that thread who are paid customers as well saying that they lost a customer. I wouldn't say its freeloading. Minio already has some custom license or paid offering and I think that they make decent enough money out of it, providing docker files and then stopping to is kinda a shitty behaviour if they are unable to explain the reasons exactly why. I couldn't find the exact reasons on why they are doing what they are doing except making it hard for people to self host.
It also inconveniences people who aren't freeloaders - or are you forgetting about the community?
People submitting PRs aren't freeloaders: they are building the product for you. People filing bug reports aren't freeloaders: they are helping you solve the bugs in your code. People writing blog posts about setting up MinIO aren't freeloaders: they are writing documentation for you. People holding talks about it at conferences aren't freeloaders: they are essentially doing free marketing for you. Even someone leaving a "thumbs up" on a Github issue isn't a freeloader anymore!
MinIO is also screwing over those active contributors, who are volunteering their time to improve the value of MinIO's product. That's not just "no longer helping freeloaders", that is "actively hurting the community".
Besides, I'm sure the community has plenty of people who would be more than happy to volunteer time to build Docker images. Do you really think MinIO is going to let them publish it under the official "minio/minio" name so the community can still benefit from it without MinIO having to "support freeloaders", or do you think there could be an ulterior motive behind nuking the image - such as pushing people to the paid version?
MinIO is not actually open source, their source code is just public.
The company I work at spun up a MinIO instance, and we got hounded by MinIO lawyers claiming we had to pay because "hosting MinIO alters the source because of injecting configuration" and therefore violates their open source license.
There have been multiple hacker news threads about this:
- https://news.ycombinator.com/item?id=32148007
> It's an Open Source project - I don't understand what people are complaining about
MinIO is a commercial company that provides some open source components and some paid components and services.
This meme where nobody is allowed to be unhappy with anything when the phrase “open source” is involved is getting old. In the span of two paragraphs your comment discovered why this is frustrating people: They have been providing certain things in the open source leg of their operation and then yanking them and stuffing them under a very expensive commercial leg later, after people have begun using them.
Being upset about that is reasonable and understandable, even if it triggers some of the people who believe “open source” means nobody is allowed to be unhappy with anything, ever.
Company makes Open Source. Open Source community enbraces it, helps it to become the defacto standard.
Company does a rug pull because they are unable to make a proper business out of it and leaves the community hanging dry.
Removing the container image build step, which was ALREADY THERE, and doing this internaly only, is the gatekeeping they are now doing.
Its like 0 effort to provide these images.
And yes pricing pages like this is always the same: You don't get any deal below 1k / month minimum because they have some pre-sales people and a payment pipeline which doesn't work for anything small or startup like.
Somehow i don't get MinIO anyway. They got over 100 Million of investment for an S3 system. Its basically a done product. Its also a typical 'invest once build it once, keep it running' thing which can easily be replicated with a little bit of investment from other companies.
I have no clue how they ever got valued over 100 Million.
> Its like 0 effort to provide these images.
I love it when entitled folks both expect to use someone else's work AND immediately downplay someone else's effort (no, I am not affiliated with Min.IO, just saying if you are scared of building a docker image yourself, maybe you should not downplay someone else's effort).
I'm not scared at all and could care less about building the image myself.
I'm also not 'entitled' because i'm doing this for another open source project we are now maintaining.
Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.
There is a difference between having the official Min.IO image with a stamp of approval vs. forked repos with their version of the same image. The only thing fixing this kind of issue is a fingerprint and build caches.
They are removing the official container images because 1. this is the magic source of running your software in helm charts etc. so now you need to act 2. in some companies you are not allowed to use random container images
And you are complelty ignoring my arguments. Its not entitlement if a companies product becomes the industry standard due to Open Source and then doing a rug pull like this.
5 replies →
It's legit. Just gives people the impression that it is sabotaging the community. I understand why they do it (the more inconvenience the more likely people are gonna pay), but wish companies are more thoughtful on open sourcing code and how to differentiate enterprise offerings at the beginning, rather than playing tricks after gaining tractions.
They are entitled to stop building docker images. Their users are entitled to get salty and go find alternative products.
If that is Minio’s expectation, then all is good, but it seems kinda counterproductive? I never liked minio, but I certainly wouldn’t use it after seeing them remove features.
They removed the admin UI from the web frontend in the f/oss version some months ago, too. I updated for security reasons and they'd stripped the functionality out. It's a jerk move.
MinIO is open source cosplay.
I wrote this back in July: https://sneak.berlin/20250720/minio-are-assholes/
>I certainly wouldn’t use it after seeing them remove features.
All sorts of projects remove features all the time though, even the linux kernel drops support for hardware that may or may not be in use somewhere
>Their users are entitled to get salty and go find alternative products.
People are entitled to feeling things of course, others will only point out that it may not be justified and that the user is liable to get hurt again if they never adjust their expectations to meet reality
I think (and I suspect many users would agree) that there is a big difference between "we are removing some unmaintained drivers for a piece of hardware which almost no one is using" and "we are removing a tentpole feature from the 'open-source' version of our application and making it exclusive to the paid edition".
> I don't understand what people are complaining about. Noone is entitled to receive free Docker images.
Every time I read something like this, I recall this post from Rich Hickey[1][2] on why no one is entitled to benefit from another human being's goodwill and time.
From the post:
> The only people entitled to say how open source 'ought' to work are people who run projects, and the scope of their entitlement extends only to their own projects.
> Just because someone open sources something does not imply they owe the world a change in their status, focus and effort, e.g. from inventor to community manager.
[1] - https://news.ycombinator.com/item?id=18538123
But not everything can be "fair game" when providing a service for free. Surely it wouldn't have been OK if they suddenly included a bitcoin miner or extracted credentials. They offered a free service, people trusted it, depended on it. Now, in my view, they have some responsibilty to their users.
Giving a notice in advance and releasing a final image that patched the CVE would've been reasonably responsible.
Certainly, there are some pretty entitled people on that github issue.
But this attitude is too far the other way. Fair enough, you are under no obligation to continue providing a free service. But isn't it fair to give a bit of notice before withdrawing it? Especially after doing it so consistently for so long. Not legally required, sure, but polite.
They haven't even given notice after withdrawing it! They just waited for someone to realise and ask about it.
Bear in mind that many paid for services, on a subscription basis, technically allow the seller to change (i.e. reduce!) the service at any time. If they act in bad faith to their free tier, what should you expect about their paid tiers? You could argue you also shouldn't be using paid services that could behave that way but I think you'd struggle not to.
I agree with what you said, but I think “courteous” might be a better word than “fair”. Whatever word you use, I take it as a sign that unpaid use isn’t as welcome as I thought.
> They haven't even given notice after withdrawing it!
Beggars can't be choosers. It's not fair to not give notice before no longer providing something for free? Come on now.
Years ago I worked in customer service. There was this guy who came in to to motivate us. He talked about the work of someone named Bob Farrell who had a chain of ice cream shops and sold burgers. He had received a letter from a disappointed customer. The customer had been given the extra pickles on his burgers for years and now one of Bob's employees told him he now had to pay extra for it. The customer said he'd never come back. Bob could have said "what an entitled idiot" and kept charging for pickles but he took that letter as a calling for how you should treat customers - just give 'em the pickle. It costs you next to nothing to give the customer the pickle and it makes them happy.
Minio doesn't have to give non-paying users anything, but the story still applies. Give them the pickle. It costs nothing in the grand scheme of things, and if it does, ask for donations like any open source project would do to cover your costs. But as others have pointed out, Minio is not an open source company, they are a commercial company that has source available.
> Minio doesn't have to give non-paying users anything, but the story still applies.
How on earth does it apply when your complete example story relies on the satisfaction of the paying customers. If you're not paying, you're not a customer - you're a user.
> If you're not paying, you're not a customer - you're a user.
This doesn't work with open-source projects: someone can still provide a lot of value to you without explicitly paying for it. If a community member volunteers a lot of their time to contribute code or provide support to other users, then you probably shouldn't piss them off either.
Users have value even when they’re not paying.
1 reply →
Well removing any distribution after a CVE is a nice touch ...
> I don't understand what people are complaining about
Talk is cheap. People will complain about something they’re not legally entitled to because there’s no downside, only an upside if the company backtracks.
In the background they are probably creating tickets to mitigate the risk if the complaining doesn’t work. It’s perfectly rational.
I don’t understand the people who don’t understand this.
You're correct, however:
1. The MinIO image on Docker Hub has more than a billion downloads [^0]. With those download counts, people have almost certainly written scripts that rely on this image existing (including their own Dockerfile! [^1]). Them leaving these images around is just asking for security breaches later down the line.
1b. While, yes, no-one's entitled to freely-available container images, it cost them almost nothing to maintain their existing toolchain for this. Them deciding to pull the plug is purely and entirely a money grab (and a dumb one, if you ask me; look at how the community responded with OpenTofu when Terraform when BUSL).
2. Fortunately, MinIO is a Golang app and can be built with a simple "go install" (though the build instructions in their docs don't align with the build recipe in their Makefile [^2]). However, they could pull a Tesla and make the source that they publish differ from the source that their binaries are built from.
3. They gave NO notice. That's the slimiest part of all of this. Tens of thousands of Kubernetes clusters, and handfuls of enterprise products, run or package MinIO that are now using images that will no longer be updated. All of these people will need to completely change their toolchains to account for that, and soon. That's just not a kind thing to do.
[^0] https://hub.docker.com/r/minio/minio/tags
[^1] https://github.com/minio/minio/blob/master/Dockerfile
[^2] https://github.com/minio/minio/blob/master/Makefile#L179
"It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. "
While this is true, in all of these discussions, somewhere the notion of responsibility often gets lost.
If you publish a project, encourage people to use it, promote it heavily, etc, then get lots of users, and then decide to kill it, while it's true you legally owe nobody anything, it's sort of crazy to claim people are acting entitled when they complain.
After all, you encouraged people to use it and promoted it!
Again, do you legally owe them anything? Nope.
I am much more empathetic towards those who get surprised by the growth of their projects, or otherwise didn't try to make their project popular and decide to quit when it becomes too large too quickly and becomes a burden.
In general, if you try to encourage lots of people to use or do something and succeed at that, you end up with various forms of social responsibility to those people. That's true in most things, not just open source.
Open source does not get a pass at this social reality simply because, as a legal reality, those users are not owed anything.
Back in July I clarified precisely what people are complaining about. It should clear up the matter.
https://sneak.berlin/20250720/minio-are-assholes/
You don't understand, or don't agree with the complaints. Those are two different things, and I suspect you understand why people are complaining and instead disagree with the complaints.
People are complaining because something was available, they adopted it, then it was discontinued. Apparently with little warning, and after they'd been encouraged to adopt it by the provider of the images.
As it happens, I agree with the general idea that if folks are not paying for the convenience of builds, then it's on them to work from source. However, it's better IMO if a vendor or project start from that position rather than what's seen as a rug-pull.
Of course, it's part of the playbook: when something is new and not widely adopted, the vendor goes to great effort to encourage adoption -- then the vendor starts looking at the paid vs. free usage and sees "huh, we have a 10000:1 ratio of paid to free users, including ten megacorps that show up grabbing binaries every 10 minutes for their CI/CD farm, and asking questions in our forums, but aren't paying a penny toward development and our investors are getting pissy."
Exactly. looked up their github to see what the big issue was about and they still provide the full source + the Dockerfile. It's not a huge issue that it is being made into. Does no-one know how to build a Docker image any more?
But a properly built image is a nice part of a product release.
Building a quality production ready image is not trivial, and it's always welcomed from the vendor.
Usually it's the short notice that gets peoples' hackles up. It's kind of a dirty trick. Everyone knows things can change.
Uh this is a superficial take. It almost certainly took more effort to hide the images from the public than to publish them.
The community that made them is being shit on.
Or one can just use old images. Which is what many people started doing after their other fuckup - removing perfectly working web UI from free version.
They just can't stop shooting themselves in the foot that didn't even heal from last time.
The last tag with a working web UI is RELEASE.2025-04-22T22-12-26Z btw.
Terrible advice when a CVE is being discussed.