Comment by weli
4 months ago
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
"That expectation does not entitle anybody to anything though."
This is true legally, but not otherwise (socially, practically)
"That is their decision. Without any contract or promise, there is no obligation to anybody."
Again, true legally, but IMHO a really silly position to take overall.
Imagine I provide free electricity to everyone in my town. I encourage everyone to use it. I do it all for free. I'm very careful to ensure the legal framework means i have no obligation, and everyone knows i have no obligations to them legally. They all take me up on it. All the other providers wither and die as a result. 15 years later, i decide to shut it all down on a whim because i want to move on to other things. The lights go out for the town everywhere.
Saying "i have no legal obligations" is true, but expecting people to not be pissed off, complain, and expect me to not do this is at best, naive.
Calling them entitled is even funnier. It's sort of irrelevant if they are entitled or not, after i put them in this position.
Legal obligation is not the only form of obligation, and not even the interesting ones most of the time.
More importantly - society has never survived on legal obligation alone.
I do not think you would enjoy living in a world where legal obligation is the only thing that mattered.
This is a bad analogy. We are talking about building a very simple Docker image.
It is more like you went around your neighborhood and turned peoples lights on in the evening, then stopped.
Sure, it’s a lost convenience, but people can easily choose to just… push the button themselves. Or pay somebody to continue doing it for them. Or get a timer.
It’s really not a big deal, and there are plenty of alternatives.
23 replies →
Bad analogy, MinIO isn't a basic commodity required for life.
Maybe a car analogy (because they hardly work). It's like lending your car to someone everyday then stopping, then the person complains that they have no way to get around. But there is walking, biking, busses or buying your own car.
5 replies →
> Again, true legally, but IMHO a really silly position to take overall.
Is it? Let's take a look at the opposite scenario: What if MinIO never released any source code at all? They'd be just another 100% proprietary company like any other and would have never received any backlash for "pulling up the ladder behind them". So offering something for free and then rescinding later is treated worse than never offering anything for free at all!
What a way to entice companies to do open source guys, great job!
1 reply →
Sticking with your analogy -- your townsfolk getting energy for free. As rational people they must include the possibility of free service being over at any time in their planning and act accordingly. Otherwise they're just freeloading.
1 reply →
Did you read the comments on Github (linked by the title)?
So many commenters are just plain rude. They got free value for along time. Someone giving the free value decides to allocate their time otherwise. And the long-time receivers of the free value now cannot behave.
And you seem to make excuses for them...
It's just rude to behave like that after having enjoyed gifts for so long. They behave like spoiled children. Nothing to defend IMHO.
6 replies →
Have you not seen some of the replies at the link?
For example:
"You are joking ?!
The commit about source only is 4 days old (9e49d5e)
We are currently paying for a license while using the open source version, you already removed the oidc code from UI console and now docker images. We are not happy by this lock-in. We will discuss this internally, but you may loose a paying customer with this behavior."
Why would a paying customer use the open source version? Deployment in non-prod?
4 replies →
I think if you analyzed your day to day life you'd be surprised with how many reliances you have on norms and social contracts. I personally don't want to live in a world that depends on an explicit legal basis for every single thing, and I doubt you want to either.
The GP didn't say it entitled them to anything, but that it created a sense of entitlement. You are correct there's no contractual obligation to do so, but it was likely a part of the decision to go with their solution, i.e. "they make it easy to deploy!". It is a very logical conclusion to say "they just made it HARDER THAN BEFORE to deploy".
Promises are not always explicit written permission; that's why I got in trouble for re-broadcasting major-league baseball with only implicit verbal permission (thanks, Simpsons!)
> That is their decision. Without any contract or promise, there is no obligation to anybody.
Even as a paying customer on a $1m/yr contract, still using the open source distribution because AIStor is not something we are keen on, we were not informed whatsoever.
They were well aware we were still using those container images, and we were by far the only paying customers doing the same.
This is malicious.
> > When you always published and built Docker images for the public you are creating an expectation
> That expectation does not entitle anybody to anything though.
Note that implied contracts do exist, and sometimes expectations based on prior conduct do suffice to form an enforcable contract. In this case, I don't know whether you can reasonably make that argument, but that's never stopped enterprising lawyers before.
https://en.wikipedia.org/wiki/Implied-in-fact_contract
“I’m not legally required to be nice” has become a classic and very common HN/Reddit argument. While true, it’s kind of beside the point. People often go beyond what they are legally obligated to do, and other people often expect others to go beyond what we are legally obligated to do. This is about nice vs. not-nice instead of legal vs. illegal.
Calling out shitty behavior doesn’t mean you felt “entitled” to anything.
Not all shitty behavior is governed by contracts and licenses. You can be an asshole without violating the terms of a license.
> Without any contract or promise, there is no obligation to anybody.
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with. There was no contract or promise. The fact you're paying for their service doesn't buy you these rights either. Those are just the terms of service both parties have agreed to.
Similarly, open source software is much more than a license. There is a basic social contract of not being an asshole to users of your product, which is an unwritten rule not just in software and industry in general, but in society as a whole. The free software movement is an extension of this mindset, and focuses on building software for the benefit of everyone, not just those who happen to pay for it, or those who meet your specific criteria. Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it. And your point is that that people who complain about this are entitled? Give me a break.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.[1]
[1]: https://news.ycombinator.com/item?id=45666757
Why isn't there similar expectations for users of Open source? That is be ready to take over yourself if maintainers do not want to do something anymore? Do not ask or demand anything. Do not expect anything but the code. To understand that you can not expect or be entitled to anything. And celebrate what you get just now.
With this the solution becomes obvious. You select piece of technology to build on you are fully and ready to take over it for purposes you want to use for it. The code is shared and you should not expect anything more.
11 replies →
> The fact you're paying for their service doesn't buy you these rights either.
It certainly does. In the UK and many other countries (possibly not the US), as soon as you are paying for a good or service you are entitled that it is satisfactory quality, fit for purpose and as described. I think it's uncontentious that a meal at a restaurant that includes poo is not satisfactory quality. Businesses have less rights than consumers but this would still count. However, the restaurant is certainly free to refuse serving you at all (unless they're it's because of a protected characteristic e.g. because of your race or gender).
I'm not sure how much that affects your analogy since it was probably a bit too far removed from the original situation to be useful anyway.
5 replies →
> If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start. Stop abusing OSS as a marketing tactic.
But MinIO didn't do any of that. They're still a 100% open-source project, with the proper license.
Truly strange analogy. 1) No restaurant is serving free food for years. 2) Serving poop will be really be very serious, legal issue even it was served for non-tippers.
Seems like the new definition of open source is not license, not code but What I need others must do for me
When a restaurant which you've been going to for years one day decides to serve you your favorite meal with a bit of poop on the side, do you not have the right to be upset about it? They're not under any obligation to serve you meals you're happy with.
That has got to be the most fallacious analogy I've seen in a long time, and that's ignoring the fact that serving poop would get you in serious trouble in most jurisdictions. "False equivalence" barely covers it.
There is a basic social contract of not being an asshole to users of your product
Nope, nope...you win. Even more fallacious. Being an asshole to your users is a meme in OSS it's so common. Someone should tell that Linus guy about this 'social contract' he agreed to and signed that he's in violation of. /s
Claiming you support this philosophy, while acting against it, is hypocritical, and abusive towards people who do believe in it.
You think there's a philosophy. Some other people here do. There is no consistent OSS philosophy. There wasn't back when Stallman was thinking "what should I call this thing that is Not Unix" and there isn't today. If that was remotely true we'd still be happily using GPLv2. Because at the end of the day there is what is written in the license, and then there is wishful thinking. Sometimes wishful thinking results in nice things, and sometimes...well...here we are.
If you want to place restrictions on how your software is used and who gets to enjoy it, that's fine, but make those terms explicit by choosing the appropriate license and business model from the start.
Ignoring the laugh-out-loud silliness of "you should pick all these things about your startup day #1 and NEVER CHANGE THEM", exactly what terms of their OSS license did they violate? Be explicit. Don't wave your hand and say "but social contract that doesn't exist!", "but philosophy I made up and want to apply to people who didn't agree to it!". Because a license only means what's written down in it, not what we want it to mean. I get that you think there should be a "No assholes, we'll never, ever pivot to meet market changes and we pinky swear we won't rug pull on you" license that people should be forced to use, but I don't think to many people will sign up for it. See: GPLv2.
You're correct and the project isn't entitled to any good will or usage from the community either. So they get what they get, just like the community. Or you know, everyone can just give a shit about each other even if it's a bit more effort.
[dead]
You seem more entitled to your opinion than others.
> That is their decision. Without any contract or promise, there is no obligation to anybody.
Not everything is legally enforced. Open source is a social phenomenon. Why are you so surprised that these social rules are being enforced socially?
There are obligations... it's how society functions.
> I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
I really don't get this entitlement. You expect that nobody should follow any social contracts and I'm sure are always surprised when people call you out for being asocial.
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
</rant>
> I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free.
Does it make you less frustrated to remember that humans are pattern recognition machines and our existence is essentially recognising and adapting to patterns, and so when someone does something repeatedly - regardless of if they're doing it for free - humans will recognise a pattern and adapt to it.
This is an inevitable consequence of coexisting with humans: if someone does something repeatedly, it creates an expectation. This is how learning works. If someone stops doing something, people are going to mention the consequences of their expectation not being met. Framing that as entitlement doesn't seem productive, especially in situations like this where it looks like the change wasn't properly communicated.
I don't think there can be a world where humans are able to learn/adapt/be efficient whilst not having expectations.
I believe there could be a world where people don't get pejoratively labelled as entitled for expressing the inconvenience caused by having functionality removed.
> Does it make you less frustrated
No. There is no valid justification, and the suggestion otherwise suggests a lack of understanding of what exactly these rude individuals are demanding.
The very least people can do when receiving such quite extensive voluntary favors and dedication from others is to be polite and show proper gratitude and appreciation. Otherwise, they are not worth the personal and uncompensated sacrifice of time (a quite non-renewable reosurce) and personal health required for the support. They are not even worth the stress or brain cycles required for communication.
(Not saying there aren't plenty of people showing appreciation - otherwise we would have given up on FOSS entirely a long time ago - just talking about those that don't)
15 replies →
Funny that pattern recognition does not extend to the universal pattern of "things end". A stoic would be appalled--if they'd care.
Why not talk about other parts of coexisting with humans? Parasitical relationships, having to learn and adapt, communicating your needs instead of making assumptions, etc.?
> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.
If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.
Is it malicious? I don't know. I prefer to believe in Hanlon's razor. Is it irresponsible? 100% yes.
It’s irresponsible to use open source software, be it a docker image or the application itself, if you’re not willing to maintain it or replace it yourself at short notice if what the maintainer is willing to do/publish no longer meets your needs.
Don’t like it? Stop being a parasite and pay someone for a support contract.
1 reply →
It is also not irresponsible, or a rug pull. The project is still available, free, and widely packaged as it always has been, just one redundant source removed.
I don't get why one they would provide prebuilt binaries in the first place, and removing them is just cleanup.
> Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company
so its a communications issue? if minio or whoever explains this, OK. that's not what happened, so it's not what happened.
If it were for a feature request, it would feel more justified. People feeling entitled to making feature requests is one thing. Like they can get fucked. Contribute code or pay me. But if I let something loose out into the world that suddenly started causing problems because someone discovered you could stab people with it, I'd be going around making sure all of the copies I gave out it had a knife guard put in place.
We're not going around making kitchen knives illegal. I would go out of my way to mitigate footguns where an entirely legitimate use or legitimate source of confusion would turn foul, but if you chose to go out of your way to misuse it as a hammer or ignore documentation, then you're on your own.
In this case, we're not even talking about that though, it's just a redundant prebuilt binary getting janked. I don't think it makes sense to provide prebuild binaries in the first place.
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
To me, there are two aspects:
- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)
- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
> if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it
Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.
> of course, if you run out of business or something bad happens to you, that's something else
Huh? So now everyone should let you know "it was out of their hands"? You have no idea how entitled you behave.
> There is some kind of implicit commitment.
No. That's just between your ears. It's putting fancy words on a feeling you have, not something that actually exists.
> what's the point of even providing pre-built Docker images if you expect people not to rely on them?
How do you know they had that expectation? And why do you care?
> This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
You are excusing yourself for these commenters that behave like spoiled children: not thankful for what they got for free, but only bitching when it stops.
6 replies →
I don’t know much about the MinIO project specifically, but to me it seems to be a common misconception that just because a maintainer provides their software project under a permissive license (such as AGPL, MIT, etc.) would necessarily imply that they do this for particular ethical reasons, like caring about “the community” (whoever that is) or contributing something for the greater good.
In the end, it’s just software made available under specific terms. While I understand the inconvenience for users if things change, it feels like part of the disappointment might stem from one-sided expectations.
Compare to bitnami: https://github.com/bitnami/charts/issues/35164
Recently switched from bitnami to minio here, with plenty heads up & they scheduled brown outs etc, along with legacy images to fallback on for users who don't get informed by anything until image gone
This is also becoming a trend with open source projects turning into source available projects with obscure and hidden ways to deploy them to prevent average users from running the software in their homelabs etc.
> you are creating an expectation
thats entitlement but seen from the other side.
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
This only inconveniences open source freeloaders. Maybe you can volunteer some time to build Docker images?
Rant about the concept of open source freeloaders: there's no such thing as open source freeloaders. If the license explicitly gives you the right to use the stuff for free, there's nothing wrong in using this right. While it would be the right thing to give money / otherwise support the projects you rely on, it's on the software developers who decide to give these rights (I also think it's the right thing to do though) to figure out the business model.
There's also nothing wrong in being upset about something you relied on disappearing overnight. If someone decides to provide something for free, they should give time for people to stop relying on this free stuff if they can.
However, I also believe you should own it if you decide to ever rely on prebuilt Docker images. More specifically, if you are relying on prebuilt Docker images, you are letting someone else decide on a part of your infra. And yes, this someone else can decide to stop providing this part of your infra overnight. This is on you.
I also don't find anything wrong in deciding to not provide binaries for your open source project, or to stop providing binaries, including docker images.
freeloader (OED): a person who takes advantage of others' generosity without giving anything in return.
Sounds exactly like freeloading to me. You may think of that term negatively, but it is exactly what it is.
3 replies →
Fork and build your own. Isn't that the whole open source ethos? Why it was invented and how it is intended to operate.
Indeed, it feels like most people today treat open source as a placeholder for "work I don't have to do myself" and then get confused/upset when the project and their own interests no longer align and requires effort to bridge that gap in alignment.
https://github.com/coollabsio/minio
Coolify is already doing it but your comment is on the verge of being passive agressive. I wouldn't say these are open source freeloaders because they could be using things like watchtowers etc. which automatically update and it could be a very huge deal for automated updates especially after I saw that some recent CVE of minio happened.
Simply put this just hurts the security of people running minio, I wouldn't say its freeloading, its actively harming the community. There are people in that thread who are paid customers as well saying that they lost a customer. I wouldn't say its freeloading. Minio already has some custom license or paid offering and I think that they make decent enough money out of it, providing docker files and then stopping to is kinda a shitty behaviour if they are unable to explain the reasons exactly why. I couldn't find the exact reasons on why they are doing what they are doing except making it hard for people to self host.
It also inconveniences people who aren't freeloaders - or are you forgetting about the community?
People submitting PRs aren't freeloaders: they are building the product for you. People filing bug reports aren't freeloaders: they are helping you solve the bugs in your code. People writing blog posts about setting up MinIO aren't freeloaders: they are writing documentation for you. People holding talks about it at conferences aren't freeloaders: they are essentially doing free marketing for you. Even someone leaving a "thumbs up" on a Github issue isn't a freeloader anymore!
MinIO is also screwing over those active contributors, who are volunteering their time to improve the value of MinIO's product. That's not just "no longer helping freeloaders", that is "actively hurting the community".
Besides, I'm sure the community has plenty of people who would be more than happy to volunteer time to build Docker images. Do you really think MinIO is going to let them publish it under the official "minio/minio" name so the community can still benefit from it without MinIO having to "support freeloaders", or do you think there could be an ulterior motive behind nuking the image - such as pushing people to the paid version?