MinIO stops distributing free Docker images

(github.com)

672 points LexSiga | 1 comments | 22 Oct 25 06:17 UTC | HN request time: 0.269s | source

Show context

antonyh ◴[22 Oct 25 10:47 UTC] No.45667228[source]▶

I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.

What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.

replies(1): >>45667763 #

GrinningFool ◴[22 Oct 25 12:01 UTC] No.45667763[source]▶

>>45667228 #

> Leaving a known unsafe version as the last release is irresponsible.

I think they should have done a better job of announcing this ahead of time (or at all, really); but there's realistically never going to be a CVE-free release to stop on, because the next CVE is just around the corner.

replies(1): >>45672021 #

1. GrinningFool ◴[22 Oct 25 17:01 UTC] No.45672021[source]▶

>>45667763 #

I'm not sure why I got downvoted here. Minio's behavior here is shitty - but in a day or a month after the last image is released, there /will/ be a CVE that affects that image. By GPs statement, when are they then able to stop releasing?

↑