MinIO (apparently) becomes source-only
112 comments
·October 22, 2025Tepix
weli
When you always published and built Docker images for the public you are creating an expectation, people will rely on that and will chose your software based on that expectation.
You suddenly deciding that you won't be offering updated Docker images especially after a CVE and with no prior notice (except a hidden commit 4 days ago that updated the README) is approaching malicious-level actions.
If they truly cared about their community and still wanted to go through the decision of not offering public docker builds the responsible thing to do is offer a warning period, start adding notices in the repo (gh and docker) and create an easy migration path, even endorse or help some community members who would be fine with taking care of the public builds of the image.
But no, they introduced the change, made no public statement about it, waited for someone to notice this, offered no explanation and went silent. After a huge CVE. Irresponsible.
Hendrikto
> When you always published and built Docker images for the public you are creating an expectation
That expectation does not entitle anybody to anything though.
> people will rely on that and will chose your software based on that expectation
That is their decision. Without any contract or promise, there is no obligation to anybody.
> You suddenly deciding that you won't be offering updated Docker images […] is approaching malicious-level actions.
I really don’t get this entitlement. “You are still doing unpaid work I benefit from, but you used to do more, therefore you are malicious.” is something I really cannot get behind.
DannyBee
"That expectation does not entitle anybody to anything though."
This is true legally, but not otherwise (socially, practically)
"That is their decision. Without any contract or promise, there is no obligation to anybody."
Again, true legally, but IMHO a really silly position to take overall.
Imagine I provide free electricity to everyone in my town. I encourage everyone to use it. I do it all for free. I'm very careful to ensure the legal framework means i have no obligation, and everyone knows i have no obligations to them legally. They all take me up on it. All the other providers wither and die as a result. 15 years later, i decide to shut it all down on a whim because i want to move on to other things. The lights go out for the town everywhere.
Saying "i have no legal obligations" is true, but expecting people to not be pissed off, complain, and expect me to not do this is at best, naive.
Calling them entitled is even funnier. It's sort of irrelevant if they are entitled or not, after i put them in this position.
Legal obligation is not the only form of obligation, and not even the interesting ones most of the time.
More importantly - society has never survived on legal obligation alone.
I do not think you would enjoy living in a world where legal obligation is the only thing that mattered.
jphoward
Have you not seen some of the replies at the link?
For example:
"You are joking ?!
The commit about source only is 4 days old (9e49d5e)
We are currently paying for a license while using the open source version, you already removed the oidc code from UI console and now docker images. We are not happy by this lock-in. We will discuss this internally, but you may loose a paying customer with this behavior."
fukka42
[dead]
arghwhat
There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Building minio is not only trivial, but is standard procedure - the latest release is in my distributions standard package repo, and they would not use prebuilt binaries. If you want that dockerized, the Dockerfile is shorter than the command-line to run said container. Dealing with Docker themselves, the corporation that has famously gone on a tax collection spree, is however quite the pain in the arse for a company.
I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free. Sure, minio is run by a corporation these days and this applies a bit more to smaller FOSS projects, but the complaint is that the silver spoon got replaced with a stainless steel one. You're still being fed for free, despite having done nothing for it.
</rant>
1dom
> I can't stand the entitlement people (everyone, not one particular person) feel when they are provided things for free.
Does it make you less frustrated to remember that humans are pattern recognition machines and our existence is essentially recognising and adapting to patterns, and so when someone does something repeatedly - regardless of if they're doing it for free - humans will recognise a pattern and adapt to it.
This is an inevitable consequence of coexisting with humans: if someone does something repeatedly, it creates an expectation. This is how learning works. If someone stops doing something, people are going to mention the consequences of their expectation not being met. Framing that as entitlement doesn't seem productive, especially in situations like this where it looks like the change wasn't properly communicated.
I don't think there can be a world where humans are able to learn/adapt/be efficient whilst not having expectations.
I believe there could be a world where people don't get pejoratively labelled as entitled for expressing the inconvenience caused by having functionality removed.
weli
> There is absolutely nothing malicious or suspicious about deciding not to provide docker images or binaries. Doing so does not hide or guard you against CVE's, which are entirely unrelated to such optional processes.
Agree. But that's not my point. If you start an oss project from scratch and you don't want to provide builds that's fine.
If you start your oss project, provide public docker images since the beginning, start getting traction, create a commercial scheme for you to monetize the project and then suddenly make a rug pull on the public builds; that is indeed irresponsible, and borderline malicious when you do it without: 1. sufficient warning time. 2. after a recent cve.
Is it malicious? I don't know. I prefer to believe in Hanlon's razor. Is it irresponsible? 100% yes.
fragmede
If it were for a feature request, it would feel more justified. People feeling entitled to making feature requests is one thing. Like they can get fucked. Contribute code or pay me. But if I let something loose out into the world that suddenly started causing problems because someone discovered you could stab people with it, I'd be going around making sure all of the copies I gave out it had a knife guard put in place.
eptcyka
Nobody signed any service level agreements, the docker images were provided on good will. If this is business critical for you, consider paying someone to solve this problem for you. Maybe even consider paying for a F/OSS solution so you are not the only one funding what should be a community effort.
I do concede that they could’ve done a better job communicating these changes. But they don’t have to.
jraph
To me, there are two aspects:
- if you rely on something, you should make sure you can reasonably rely on it (indeed, for instance by paying someone)
- if you provide something, even for free, you should expect people will rely on it and you shouldn't pull the plug overnight if you can help it (of course, if you run out of business or something bad happens to you, that's something else). There is some kind of implicit commitment. Nobody should be entitled to receive free pre-built Docker images, but OTOH what's the point of even providing pre-built Docker images if you expect people not to rely on them? This feels pointless and you probably shouldn't start providing them in the first place if you have this expectation.
hansmayer
> You suddenly deciding that you won't be offering updated Docker images especially after a CVE
I hate to break it to you, but you know the CVEs are fixed in the source code, not in the Docker Image? Just build it yourself, the good folks have even provided a Dockerfile for it.
blueflow
> you are creating an expectation
thats entitlement but seen from the other side.
phatfish
This only inconveniences open source freeloaders. Maybe you can volunteer some time to build Docker images?
jraph
Rant about the concept of open source freeloaders: there's no such thing as open source freeloaders. If the license explicitly gives you the right to use the stuff for free, there's nothing wrong in using this right. While it would be the right thing to give money / otherwise support the projects you rely on, it's on the software developers who decide to give these rights (I also think it's the right thing to do though) to figure out the business model.
There's also nothing wrong in being upset about something you relied on disappearing overnight. If someone decides to provide something for free, they should give time for people to stop relying on this free stuff if they can.
However, I also believe you should own it if you decide to ever rely on prebuilt Docker images. More specifically, if you are relying on prebuilt Docker images, you are letting someone else decide on a part of your infra. And yes, this someone else can decide to stop providing this part of your infra overnight. This is on you.
I also don't find anything wrong in deciding to not provide binaries for your open source project, or to stop providing binaries, including docker images.
Ekaros
Fork and build your own. Isn't that the whole open source ethos? Why it was invented and how it is intended to operate.
Imustaskforhelp
https://github.com/coollabsio/minio
Coolify is already doing it but your comment is on the verge of being passive agressive. I wouldn't say these are open source freeloaders because they could be using things like watchtowers etc. which automatically update and it could be a very huge deal for automated updates especially after I saw that some recent CVE of minio happened.
Simply put this just hurts the security of people running minio, I wouldn't say its freeloading, its actively harming the community. There are people in that thread who are paid customers as well saying that they lost a customer. I wouldn't say its freeloading. Minio already has some custom license or paid offering and I think that they make decent enough money out of it, providing docker files and then stopping to is kinda a shitty behaviour if they are unable to explain the reasons exactly why. I couldn't find the exact reasons on why they are doing what they are doing except making it hard for people to self host.
ryanjshaw
> I don't understand what people are complaining about
Talk is cheap. People will complain about something they’re not legally entitled to because there’s no downside, only an upside if the company backtracks.
In the background they are probably creating tickets to mitigate the risk if the complaining doesn’t work. It’s perfectly rational.
I don’t understand the people who don’t understand this.
grandfugue
It's legit. Just gives people the impression that it is sabotaging the community. I understand why they do it (the more inconvenience the more likely people are gonna pay), but wish companies are more thoughtful on open sourcing code and how to differentiate enterprise offerings at the beginning, rather than playing tricks after gaining tractions.
Aeolun
They are entitled to stop building docker images. Their users are entitled to get salty and go find alternative products.
If that is Minio’s expectation, then all is good, but it seems kinda counterproductive? I never liked minio, but I certainly wouldn’t use it after seeing them remove features.
jinkylist
>I certainly wouldn’t use it after seeing them remove features.
All sorts of projects remove features all the time though, even the linux kernel drops support for hardware that may or may not be in use somewhere
>Their users are entitled to get salty and go find alternative products.
People are entitled to feeling things of course, others will only point out that it may not be justified and that the user is liable to get hurt again if they never adjust their expectations to meet reality
hansmayer
Exactly. looked up their github to see what the big issue was about and they still provide the full source + the Dockerfile. It's not a huge issue that it is being made into. Does no-one know how to build a Docker image any more?
Timshel
Well removing any distribution after a CVE is a nice touch ...
Klemoniono
Company makes Open Source. Open Source community enbraces it, helps it to become the defacto standard.
Company does a rug pull because they are unable to make a proper business out of it and leaves the community hanging dry.
Removing the container image build step, which was ALREADY THERE, and doing this internaly only, is the gatekeeping they are now doing.
Its like 0 effort to provide these images.
And yes pricing pages like this is always the same: You don't get any deal below 1k / month minimum because they have some pre-sales people and a payment pipeline which doesn't work for anything small or startup like.
Somehow i don't get MinIO anyway. They got over 100 Million of investment for an S3 system. Its basically a done product. Its also a typical 'invest once build it once, keep it running' thing which can easily be replicated with a little bit of investment from other companies.
I have no clue how they ever got valued over 100 Million.
hansmayer
> Its like 0 effort to provide these images.
I love it when entitled folks both expect to use someone else's work AND immediately downplay someone else's effort (no, I am not affiliated with Min.IO, just saying if you are scared of building a docker image yourself, maybe you should not downplay someone else's effort).
jmorenoamor
But a properly built image is a nice part of a product release.
Building a quality production ready image is not trivial, and it's always welcomed from the vendor.
MuteXR
Keep in mind this is the same project that removed all useful functionality from the included web UI in the community edition with the excuse that it was too much effort to maintain.
This is another case of VC-funded companies pulling up the ladder behind themselves.
jinkylist
Is it an excuse? Maintaining code costs money, and the previous versions are provided under the license, and you're free to modify it, pull selective patches and maintain them yourself. While It'd be convenient if the license was a promise to develop and maintain features for free in perpetuity, it just isn't.
I run into this in non-company backed open source projects all the time too. Some maintainer gets burned out or non-interested and all they're rewarded is people with pitchforks because they thought there were some sort of obligations to provide free updates and suppport
fukka42
[dead]
jraph
The title of the HN submission might look a bit misleading. It's easy to misinterpret it and think MinIO stops being open source (which would be a bigger deal IMHO).
I think this would be better: "MinIO stops distributing free Docker images"
---
See also the relevant README section: https://github.com/minio/minio?tab=readme-ov-file#source-onl...
adamcharnock
We [0] use MinIO with for our clients so we've just thrown together a nightly build process. Use/fork as you wish:
https://github.com/golithus/minio-builds
Example use:
docker run -p 9000:9000 -p 9001:9001 ghcr.io/golithus/minio:latest
mattbee
They abandoned documentation a couple of weeks ago - that seems more significant.
From their Slack on Oct 10:
"The documentation sites at docs.min.io/community have been pulled of this morning and will redirect to the equivalent AIStor documentation where possible". [emphasis mine]
The minio/docs repository hasn't been updated in 2 weeks now, and the implication is that isn't going to be.
Even when I set up a minio cluster this February, it was both impressively easy and hard in a few small aspects. The most crucial installation tips - around 100Gb networking, Linux kernel tunables and fault-finding - were hung off comments on their github, talking about files that were deleted from the repository years ago.
I've built a cluster for a client that's being expanded to ≈100PB this year. The price of support comes in at at slightly less than the equivalent amount of S3 storage (not including the actual hosting costs!). The value of it just isn't that high to my client - so I guess we're just coasting on what we can get now, and will have to see what real community might form around the source.
I'm not a free software die-hard so I'm grateful for the work minio have put into the world, and the business it's enabling. But it seems super-clear they're stopping those contributions, and I'd bet the final open source release will happen in the next year.
If anyone else is hosting with minio & can't afford the support either :) please drop me a line and maybe we can get something going.
weinzierl
Not a full replacement but there is Garage, which was quite well received in other HN threads.
c0balt
Can vouch for it as an adequate self-hostable option. It has some missing features, compared to Minio, and is less compatible but works for most applications.
olivermuty
could you elaborate on this? we're looking at moving off cloudflare r2 in the somewhat near future and garage is on our short-list
c0balt
Garage worked for most of my use-cases but it lacks, among other endpoints[0], bucket ACLs and bucket replication. Anonymous access is also an open issue[1].
They are also a comparatively young project and while fully OSS do not, afaik, appear to have a solid long term funding source yet. Though that might be an opportunity to support them, if your company is interested in picking them.
[0]: https://garagehq.deuxfleurs.fr/documentation/reference-manua...
Aeolun
I find garage to require quite a lot of fiddling.
znpy
Afaik Ceph has its own object-storage functionality as well, which seems to be S3-compatible: https://docs.ceph.com/en/latest/radosgw/#object-gateway
maxloh
Yeah. They also created a open source test suite for S3 clones.
This is a set of unofficial Amazon AWS S3 compatibility tests, that can be useful to people implementing software that exposes an S3-like API. The tests use the Boto2 and Boto3 libraries.
a10c
I believe you're forced to have your data backed by a Ceph OSD. Whereas Minio can point to an NFS share on a NAS.
Eikon
Doesn't support if-match.
adamcharnock
We're working on a binary build process now. We hope to have something up at https://github.com/golithus soon.
We use MinIO (community edition) a fair amount. And while we like it, it is also becoming increasingly clear that our days of deploying are numbered.
We want to start experimenting with Garage for smaller deployments, and would be interesting to hear of any production experiences there. (Anyone done multi-PiB deployments?)
Other than that we're going to start looking at Ceph/Rook for larger deployments.
xavxav
garage devs have told me of 10PiB+ deployments in production, but I've never operated one at that scale so I can't share much insight into the experience. Probably best to ask on their matrix chat.
Imustaskforhelp
https://github.com/coollabsio/minio
I was reading the github discussion and found out that coollabs has taken on the decision to make docker images for these.
https://github.com/coollabsio/minio
https://github.com/minio/minio/issues/21647#issuecomment-342...
>Until we (the community) figure out something, I made an automated docker image version here: https://github.com/coollabsio/minio
The latest release is already available on ghcr and on dockerhub for amd and arm.
Well they have locked the discussion right now it seems but hope the community does something since my brother once asked for how to store audio and I thought that something like S3 could be perfect for it and wanted him to use minio or check it out.
Idk what I will recommend now? Garage? Seaweedfs?
mlrtime
Wow, ~75 lines of Dockerfile and ~300 lines of github actions, hosted on a FREE platform.
Seriously, what is the rage here, anyone could do this.
Imustaskforhelp
I hope you have read the github issue page
This was the first person after so so many comments to actually do something about it, and he's from coolify which can be decently trusted with.
Everybody likes to rant and the dislikes on github issues show but I just respect the guy for even taking his time to write this.
Sure you can try to reduce it to LOC or anyone can do this, but did you?
Also there is a trust factor, I can trust coolify's docker image as compared to any other people.
ThatPlayer
Anyone including MinIO. So why did they stop doing it? That decision making is what people do not like.
asgeirn
Getting it from source is as easy as `go install github.com/minio/minio@latest` if you have a recent Go.
In addition your favorite Linux distribution probably has it as from-source builds already.
For a container image you could try making one from Alpine or Wolfi.
antonyh
I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.
What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.
jeroenhd
Looking at the change to the README last week[1], it looks like MinIO went from "MinIO has no planned or scheduled releases for this repository" and " While a new release may be cut at any time, there is no timeline for when a subsequent release may occur." to "The MinIO community edition is now distributed as source code only".
Based on promises alone, I think that means they un-dropped the open source project but still only distribute the binaries to their customers.
[1]: https://github.com/minio/minio/commit/9e49d5e7a648f00e26f224...
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.