←back to thread

MinIO stops distributing free Docker images

(github.com)
672 points LexSiga | 6 comments | 22 Oct 25 06:17 UTC | HN request time: 0.814s | source | bottom
Show context
Tepix ◴[22 Oct 25 09:12 UTC] No.45666563[source]
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.

What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.

replies(20): >>45666657 #>>45666766 #>>45666806 #>>45666929 #>>45667098 #>>45667178 #>>45667201 #>>45667203 #>>45667286 #>>45667401 #>>45668228 #>>45668656 #>>45668714 #>>45668719 #>>45669554 #>>45670644 #>>45670900 #>>45671464 #>>45673127 #>>45674773 #
weli ◴[22 Oct 25 09:42 UTC] No.45666766[source]
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.

You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.

If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.

But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.

replies(10): >>45666850 #>>45666888 #>>45666945 #>>45666962 #>>45667042 #>>45667291 #>>45667585 #>>45668545 #>>45670863 #>>45676669 #
eptcyka ◴[22 Oct 25 10:06 UTC] No.45666945[source]
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.

I do concede that they could’ve done a better job communicating these changes. But they don’t have to.

replies(1): >>45667195 #
1. jraph ◴[22 Oct 25 10:43 UTC] No.45667195[source]
To me, there are two aspects:

- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)

- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.

replies(2): >>45667384 #>>45670732 #
2. cies ◴[22 Oct 25 11:14 UTC] No.45667384[source]
> if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it

Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.

> of course, if you run out of business or something bad happens to you, that's something else

Huh? So now everyone should let you know "it was out of their hands"? You have no idea how entitled you behave.

> There is some kind of implicit commitment.

No. That's just between your ears. It's putting fancy words on a feeling you have, not something that actually exists.

> what's the point of even providing pre-built Docker images if you expect people not to rely on them?

How do you know they had that expectation? And why do you care?

> This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.

You are excusing yourself for these commenters that behave like spoiled children: not thankful for what they got for free, but only bitching when it stops.

replies(1): >>45667410 #
3. jraph ◴[22 Oct 25 11:17 UTC] No.45667410[source]
Hey, tone down, please. Also, have you, for some reason, totally missed the first point in my comment?

> Do you know their reasons for discontinuing? Are you even entitled to know that? It's their private matter.

Fully addressed in the "if you can help it" part of my comment.

> You have no idea how entitled you behave.

I have 100% idea how entitled I behave. I don't at all. I don't use MinIO. As an employee, I push internally for relying on our own infra (but we are quite good at this already).

I don't expect open source projects to provide binaries. Well, I kinda do if they've been doing it though. Expectations vs entitlement? Not the same thing.

We're discussing human interactions and expectations here.

---

So, in your opinion, what's the point of providing pre-built binaries if you don't want others to be able to rely on them then?

As someone who develops free software in my hobbies and also as an employee, if I provide binaries for free, I 100% expect people to be able to rely on them, or I just don't do it, and I would 100% feel like I'd be causing them issues by stopping doing it on short notice. I would feel like I'd owe them explanations (and their can be valid ones I'm sure - burn out would be a hell of a valid explanation to stop working on the projects at all) if I did that. They'd not be entitled to receive the binaries from me, but they would expect it and breaking expectations is not very nice. I have difficulties seeing this another way to be honest.

Let's also recall that we are talking about a project who's business might have benefited from the adoption in the first place.

> why do you care?

I could care about nothing, but that's not what I'm on HN for. I'm curious and interested.

You can read more about my views on this stuff here if it can help understand me: https://news.ycombinator.com/item?id=45667271

replies(1): >>45668012 #
4. ndriscoll ◴[22 Oct 25 12:27 UTC] No.45668012{3}[source]
If you were relying on their pre-built binaries, you presumably still have them. It's not like they went and deleted them off of your computer. They're just not giving you new pre-built binaries (but they're still giving you new code for free! And others pre-build binaries for free anyway). Do the old ones stop working at some point?

Note that a CVE is not an indication that something doesn't work. In the real world, they're mostly relevant only for businesses that need something like PCI compliance. Especially for something like a storage server that shouldn't be directly exposed to the Internet. If you are a business that has some compliance obligation, you have no one to blame but yourself if you rely on others' charity to meet that obligation.

replies(1): >>45668129 #
5. jraph ◴[22 Oct 25 12:37 UTC] No.45668129{4}[source]
Existing binaries don't stop working, but adapting your infra to get the update can take some time.

Without other elements, it's definitely not nice to stop releasing the binaries out of the blue, especially for a security fix. To me it's purely a question of breaking expectations you've built yourself (I don't mean entitlement, I mean expectations).

Now, it's indeed not the end of the world, and:

> you have no one to blame but yourself if you rely on others' charity to meet that obligation

100% agree with you on this (that's my first point in my original comment).

6. ◴[22 Oct 25 15:36 UTC] No.45670732[source]