Comment by weli
4 months ago
> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.
If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.
Is it malicious? I don't know. I prefer to believe in Hanlon's razor. Is it irresponsible? 100% yes.
It’s irresponsible to use open source software, be it a docker image or the application itself, if you’re not willing to maintain it or replace it yourself at short notice if what the maintainer is willing to do/publish no longer meets your needs.
Don’t like it? Stop being a parasite and pay someone for a support contract.
As far as I can tell, people who are paying for support contracts were also impacted by this. It was explicitly called out in that thread
It is also not irresponsible, or a rug pull. The project is still available, free, and widely packaged as it always has been, just one redundant source removed.
I don't get why one they would provide prebuilt binaries in the first place, and removing them is just cleanup.