> you should not be running a durable storage cluster in-house

If you’re running Minio, odds are you have interesting use cases that are not filled by S3. I wouldn’t make such blanket statements.

I don’t think anyone is surprised that an LLM can help you here either.

I'm trying to be charitable here, but you're being incredibly obtuse in your response. The issue here is very much not that someone has to build a Docker image. There's already a Dockerfile in the repo that works to build it, you didn't even need some LLM to do that for you. That's not the issue. The issue is that their existing Docker image has billions of downloads and they simply stopped publishing updates unilaterally with no material attempt to communicate this to their users when the current image is affected by a critical CVE that will now never be fixed.

If you don't understand the difference between these two issues, I would suggest it is /you/ that lacks the ability to add sufficient value to your employer (as if that's even a standard we should care about We are people, not merely cogs in some VC's wet dream).

The LLM stuff aside, how is minio supposed to communicate with the people who pulled their docker image?

The time line is rather short (the README announcing source only releases got updated a week and half ago) but it's not like Docker will let you email everyone and say "you're using one of our products, read this post about our new distribution model", probably for good reason. I can only imagine the "vulnerability" warnings flooding the world if every pulled container opened an avenue for emails.

I wouldn't buy their weird AI product off them after they behave like this, but this is software they've been maintaining and giving away for free, for years. Unless you have a contract with them where they promised maintenance, I don't see why this is on them, really.

The company can go bankrupt tomorrow and you won't even be able to pay them to update their images. Maintaining your dependencies is your responsibility, especially if you're not paying them a dime.

You're taking an all or nothing approach, when that isn't how this actually works. Software lifecycle management is part of product management 101, and generally how this is handled is you provide /advanced notice/ before an action is taken. Will this fully solve this issue and guarantee notification to every impact user? No. Will it help some of them and show a material attempt to be a good steward and act in good faith? Yes.

Some actions that they could have taken but didn't:

* Post a public notice on their website with a set date 90+ days out for when they'd shut off CI and stop producing new images

* Add a line to their Docker init script that puts out a deprecation notice with the same date 90+ days out to STDOUT that will get seen/logged on systems using the image

* Send direct communication to their paying customers via email or generated support tickets notifying them of the upcoming deprecation and that they need to switch their deployments to a new image source on a set date 90+ days out.

They could have done all three of these things, they could have done other things also. Most importantly, anything they do should have time for people to digest and respond to the action in a reasonable manner, you should not rug pull people by unilaterally changing something with no prior notice, only telling people about the change as it happens, and immediately causing a problem (no forward path for CVE fixes).