← Back to context

Comment by jeroenhd

4 months ago

The LLM stuff aside, how is minio supposed to communicate with the people who pulled their docker image?

The time line is rather short (the README announcing source only releases got updated a week and half ago) but it's not like Docker will let you email everyone and say "you're using one of our products, read this post about our new distribution model", probably for good reason. I can only imagine the "vulnerability" warnings flooding the world if every pulled container opened an avenue for emails.

I wouldn't buy their weird AI product off them after they behave like this, but this is software they've been maintaining and giving away for free, for years. Unless you have a contract with them where they promised maintenance, I don't see why this is on them, really.

The company can go bankrupt tomorrow and you won't even be able to pay them to update their images. Maintaining your dependencies is your responsibility, especially if you're not paying them a dime.

1 comment

jeroenhd

Reply
tristor  4 months ago

You're taking an all or nothing approach, when that isn't how this actually works. Software lifecycle management is part of product management 101, and generally how this is handled is you provide /advanced notice/ before an action is taken. Will this fully solve this issue and guarantee notification to every impact user? No. Will it help some of them and show a material attempt to be a good steward and act in good faith? Yes.

Some actions that they could have taken but didn't:

* Post a public notice on their website with a set date 90+ days out for when they'd shut off CI and stop producing new images

* Add a line to their Docker init script that puts out a deprecation notice with the same date 90+ days out to STDOUT that will get seen/logged on systems using the image

* Send direct communication to their paying customers via email or generated support tickets notifying them of the upcoming deprecation and that they need to switch their deployments to a new image source on a set date 90+ days out.

They could have done all three of these things, they could have done other things also. Most importantly, anything they do should have time for people to digest and respond to the action in a reasonable manner, you should not rug pull people by unilaterally changing something with no prior notice, only telling people about the change as it happens, and immediately causing a problem (no forward path for CVE fixes).