←back to thread

The Deletion of Docker.io/Bitnami

(community.broadcom.com)
329 points zdkaster | 1 comments | 28 Aug 25 04:37 UTC | HN request time: 0s | source
Show context
greatgib ◴[28 Aug 25 07:03 UTC] No.45049298[source]
I don't want to discount the work they are doing, and that it has no value, but a little bit shocking that they expect to go all commercial with this, in the Oracle way, while just "packaging" and so relying on open source software that they will not contribute to.

Also, I'm a little bit wondering at how much all of this is really copyrightable in the end. Because if you keep it private I understand, but here it is basically for each package just a few lines, recipes to build the components that they don't own. Like trying to copyright the line "make build".

And it might be each the single and obvious way to package the thing anyway.

And speaking at the built artefacts, usually a binary distribution of third party open source software with common license should preserve the same rights to the user to access the source code, the instructions to build, and the right to redistribute...

replies(2): >>45049473 #>>45049478 #
supriyo-biswas ◴[28 Aug 25 07:33 UTC] No.45049478[source]
What probably carries more value is the helm charts that they provide which are also on their way out.

The images themselves have official replacements (for example, looking at https://hub.docker.com/u/bitnami why wouldn’t I use Node or Postgres images from the official sources instead).

I have no idea how many people actually used their helm charts though.

replies(2): >>45049531 #>>45049943 #
progbits ◴[28 Aug 25 08:53 UTC] No.45049943[source]
They do keep some of them more up to date, for example the bitnami python image had system packages patched faster than the official one. But if you are willing to pay then chainguard is a better solution.
replies(1): >>45050270 #
firesteelrain ◴[28 Aug 25 09:46 UTC] No.45050270[source]
ChainGuard is $$$$$$$

We talked to them a couple years ago. A lot of what they are doing besides Wolfi is using Alpine which removes alot of findings by default

replies(2): >>45050918 #>>45052258 #
progbits ◴[28 Aug 25 11:37 UTC] No.45050918[source]
Alpine helps but it's not perfect. Plenty of outdated packages with known CVEs there for long time.

Often they are not exploitable but it's easier to pay chainguard to have a constant zero on our vuln scanner than to deal with distroless builds ourselves.

The GPU images are indeed very expensive though.

replies(1): >>45050993 #
firesteelrain ◴[28 Aug 25 11:46 UTC] No.45050993{3}[source]
I get it but the likelihood those vulns are exploitable in your environment is dubious. It’s a lot of compliance theater. Defense in depth
replies(2): >>45051153 #>>45051237 #
1. ◴[28 Aug 25 12:16 UTC] No.45051237{4}[source]