Having read the minIO allegations last week, I was fully expecting to read some weasel-y/half refutation here.
Instead, this is a strong refutation and, if everything WEKA says here is true, it is much less certain that they've done anything wrong and it seems like it's on minIO to prove that they've used minIO software subject to AGPL rather than only to Apache.
Not a lawyer and this is an area where I genuinely just don't know, so I'd love to find a place that's explored this and could read more. But WEKA's statement #2 about the irrevocability struck me as odd in its expansiveness. My understand was that "irrevocable" essentially is about arbitrariness and time, that so long as the licensee follows the governing license as written then it continues indefinitely and the licensor may not ever simply decide to revoke it. But if the license terms were broken, then could the copyright holder then say the contract was broken? I didn't think "irrevocable" meant "every other aspect of this contract doesn't matter beyond damages because even if you blow off them all it can't be revoked anyway". Like if I signed a copyright license saying "in exchange for $50/year paid on Jan 1 each year for a period of 10 years I grant a perpetual, worldwide, non-exclusive, irrevocable copyright license to said work" and then they just stop paying after the first year does that mean the license is still irrevocable, but I can sue them for damages? Or is the contract done due to non-performance? Or would that depend on other clauses? What if the value exchange is more of a quid pro quo thing, does that became a rare instance where suit for specific performance would be an option, or would the court translate it to money?
Just really curious, I've seen that term language lots and never really gave it much thought until now. Surely this must have been fought over before. But I'd have expected a lawyer drafted response by WEKA to cite case law and any governing state/national law. Just saying "see the contract says irrevocable so that's that duh!" feels kinda odd.
--
Edit: Also to be clear, this is all purely dependent on any license terms actually having been broken. If none were then yes that'd be that. It just seemed like WEKA was making an argument that MinIO couldn't revoke no matter what.
I would interpret the Apache Licenses terms on breaking the license to apply to patents and there it is pretty clear that the party who starts litigation loses their own license. I don't think any open source license writer would intentionally want the situation where a middle-man causes a license to never be valid, and in this case it makes no sense as attribution is meant to be optional information.
I think the overarching point is that MinIO doesn't understand their own license. MinIO can't retaliate at will, except by suing. It also shows that - as it has been since the inception of the AGPL - nobody knows what the actual obligations are. MinIO seems to believe that interaction with MinIO, including calling the API, makes your code subject to the AGPL too. They say as much on their compliance page.[1] This is the opposite view of someone like MongoDB, who used to have their software AGPL licensed, but explicitly made their clients permissively licensed, because their expectation from the AGPL was that it is not infectious across process boundaries.
MinIO has taken this to other extremes, including believing that your config file for MinIO is subject to AGPL. Even if you assume that an implicit dependence on an API is making the calling code AGPL, MinIO has the least strong claim for their service being infectious, because their API is mostly a reimplementation of S3.
This is like the "are Java APIs copyrightable" case all over again, except the people who are threatening legal action didn't even invent the API.
"When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
I read through this as well & it is a joke. Under their interpretation if I run MinIO in the Linux subsystem that is part of Windows, I'd need to open source that.
Their interpretation is so extreme that using a browser would require me to open source the browser. If I used a shell script to test if the service is running, I'd need to make that open source too.
There is also this: "Passing configuration parameters to a MinIO binary instance constitutes making a modified version, as it does not produce an exact binary copy."
How do they know it doesn't produce an exact binary copy? Maybe my x86 computer is quantum based.
I'm pretty sure if I compiled MinIO with a proprietary Golang implementation, MinIO would want me to open source the compiler.
They also include their trademarked logo in the git repo., then try and tack on a supplemental policy about that later. Which you can't do, because the AGPL grants you a license to the logo.
In MinIO's original accusations, they have a line: "MinIO recommends uninstalling $Company entirely from your infrastructure."
When they wrote it, they set $Company to "Weka". Given the overall interaction and beyond-curious legal interpretations they are making and publishing, I read it with $Company set to "MinIO".
That was exactly my thought as well. If I were CTO I would require all teams to either use the Apache 2 version or discontinue use.
Also what I find interesting is they accepted community contributions without a licensing agreement. So they in fact can't switch to AGPL without written consent from all those contributors.
It might be the actual intent of the AGPL, which is why I completely stopped using it despite loving the spirit of how it is used by MongoDB.
The FSF has an example of how to comply with the AGPL (specifically the "prominent notice") when using an AGPL licensed proxy that is pretty illuminating. They recommend you just show a landing page with a big reference to the AGPL on the first request. I'd like to see them do that with an API Gateway.
If you read the minio blog, they give very detailed instructions on how to check that they are using the software. It shouldn’t be super difficult to figure out if any of the software being distributed today is post license switch.
So what we have here is a very detailed description of what they are claiming is a violation, then a refutation that is very strong, but also doesn’t actually address some of the claims in the other blog, as far as I can tell.
There is a blog from minio that says they switched to AGPLv3 in 2021. It’s unclear to me from the screenshots whether the software is later than that or not.
I hope someone takes the time to do an independent analysis, and a more neutral take.
Note that Weka redacted the language from the Apache license that says “subject to the terms and conditions,” which (not a lawyer) seems to allow a copyright holder to deny permission if they’re not meeting the conditions of the license. Whether they are or not is another question.
> they give very detailed instructions on how to check that they are using the software
It's not that detailed; it just says "there is a minio binary, and that's our minio". Okay, but what version is that? This is the crucial part, because Apache vs AGPL license makes a world of difference.
The Apache attribution requirement seems satisfied; perhaps not as prominently as minio would like, but there is no "prominence requirement". It fails to demonstrate any AGPL code is used, although according to some other comments the monio people have a unique and interesting interpretation of relicensing where they think they can retroactively relicense Apache code to AGPL. The claim that backporting any security fixes would trigger the AGPL is also suspect; typically many security fixes are simple in terms of code changed, and tend to be fairly easy to re-implement independently once you know the description of the problem. Either way, "it's likely that [..]" doesn't really demonstrate much of anything and is certainly not "very detailed".
In short, the minio post is vague and full of assumptions; even without this rebuttal I wouldn't put too much stock in it as it seems borderline FUD.
It does appear that their minio instance is the apache version. From the minio allegations the ui in the screenshots matches the pre-AGPL instance that I've kept around which was really just a simple bucket/files manager. I think all post-AGPL versions should be using the new ui announced here[1] in April 2021. The AGPL change was announced 12 May 2021[2]. The newer date in the out of date message could be due to them re-compiling the Apache version themselves.
However looking at the warp version in the screenshot, version 3.40 is licensed under AGPL.
Didn't know that MinIO used to be Apache licensed. This [0] is the commit that changed it.
Since the S3 API largely remained the same over the last two years, it might be an option to use the Apache version, if AGPL is not possible. Of course, that would lack security fixes that were done in the meantime.
There is also a discussion [1] about that license change.
> the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users
Indeed, I don't think that's correct. That depends on the definition of "connecting" but I was under the impression that if you use MinIO on a server, the services that connects to MinIO don't need to be open-source. Only the server component that include MinIO need to be, and only if end users are connecting to that component. But correct me if I'm wrong.
According to commonly understood agpl interpretation you’re correct but not as minio understands it:
> Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations.
> The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO.
If you are in the business of making money like minio, you may as well just use a commercial license. No business will touch AGPL, they will just opt to pay for a commercial license.
In fact, I am starting to ask myself the opposite... 'Since project X is MIT-licensed, do they need my contribution at all? Probably not, their license probably brings them many high-quality corporate contributions.'
It’s not good bc it ties survivability of a project with a single company. If company folds so does your open-source project. Also imagine if linux wouldn’t be able to receive contributions from google and other big tech
That only works because Linux is run by customers, which the GPL covers, instead of provided as a web service. The AGPL is needed to encourage the same contributions for SASS products.
> That only works because Linux is run by customers, which the GPL covers
You’d be shocked to find out but linux is also run by cloud providers and offered as a service (in the form of VMs).
And unfortunately because of murky water of what constitutes “derivative work” in agpl (case in point - see the title of this thread) most companies won’t ever touch agpl licensed projects
MinIO had a large investment round at unicorn valuation at the end of last year. Watch them desparately move up market (or more like flailing around) to recoup that investment.
Meanwhile they cannot get their software to work on ext4 and it is apparently ext4s fault[0].
You're misinterpreting the bug, the software works but could lose data. However, the person who wrote the update about O_DIRECT and ext4 in production environments is just wrong.
I mean, losing data is an extremely complex problem. What I'll say is that I've run large production systems with heavy load on ext2 and ext4 and did not find that it "lost data" more frequently than xfs, and in fact performed fine.
What's really important here is the person who closed the bug did some summarily, with little to no explanation, other than a reference to O_DIRECT not being supported in ext4, and therefore it "loses data" in production. This is an unprofessional comment to close a bug and I'd expect one of the co-founders of MinIO to do a better job. See https://ext4.wiki.kernel.org/index.php/Clarifying_Direct_IO%... for a discussion of the subletly of O_DIRECT. It's also not really required to make a production filesystem reliable, and would only be a tiny part of an overall reliability solution (because drives themselves often buffer and reorder their writes, sometimes even lying about whether data was "commited durably to disk")
I recall minio previously playing fast and loose with the terms of their prized infectious foss license, a github issue perhaps? I recall they believed that interfacing with their AGPL minio through a standard s3 interface with no source changes mandated open sourcing of the client application.
Basically they claim that even calling it from proprietary stack over s3 api triggers apgl obligations which most lawyers don’t believe is true but never been tested in court afaik. I wouldn’t recommend touching it for anything unless you want to play those games (or unless you want to pay for enterprise ofc =)) It’s fake open source.
They have a unique interpretation of AGPL, they also seem to think they can retroactively change the license from Apache 2 to AGPL on their old code. So even if WEKA forked the older version of MinIO when it still was Apache they would still violate the license. Which means anyone using MinIO without a commercial license needs to open source their entire application regardless if MinIO itself was modified or not. Well according to MinIO anyway.
This eventually surely lead to a lawsuit where this is tested, but in the meantime I would avoid MinIO at all cost. The commercial license to self host it is minimum $1000 per month for 100TB.
> If you distribute, host or create derivative works of the MinIO software over the network, the GNU AGPL v3 license requires that you also distribute the complete, corresponding source code of the combined work under the same GNU AGPL v3 license. This requirement applies whether or not you modified MinIO.
That sounds dangerous to free software/open source as a whole. Firstly, it's obviously not the status quo of how most people operate. Secondly, if they manage to win that claim in court it could encourage others to do the same.
It is, just listen to what they think modification of software means:
> To "modify" MinIO means to copy from or adapt all or any part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting derivative work is sometimes referred to as a "modified version" or we say that it is "based on" the earlier work.
> Passing configuration parameters to a MinIO binary instance constitutes making a modified version, as it does not produce an exact binary copy.
and what derivative works mean:
> Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations.
> The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO.
Needless to say that's all completely wrong and just FUD. I think the FSF should get involved they are damaging free software as a whole. Incredibly scummy company.
It sucks how they try to use their license as a weapon rather than a shield, these things are designed to protect projects from unattributed use or modification without releasing the improvements, not meant to be used as a big stick to force people into a corporate dual license to be able to use it for anything real.
There needs to be a phrase like "play open source games, win open source prizes" for companies that get all upset when someone else monetizes their product.
I think it depends a lot on whether they’re upset because they failed to license the software in a way that would prevent behavior they don’t like, or because someone doesn’t seem to be complying with the license in the first place.
If you chose a permissive license and then are shocked when people actually take advantage of that, you kind of deserve what you get. If you chose a reciprocal license and someone just ignores it, then I think you still have a license to complain. Pun kind of intended.
I personally don't care for any open source sob stories by companies that use open source as a growth strategy. When you open source something, you will need pay the legal costs to enforce your license, the license doesn't enforce itself. It will most likely be a long drawn out process and will be a drain on your resources, especially technical ones. Don't complain when this happens, nobody forced you to open source your stuff to begin with.
This is a curious attitude. No, the license doesn’t enforce itself. But usually when someone violates copyright companies tend to complain about it. Often that complaint is accompanied by a lawsuit, but I’ve heard a lot of complaints out of the entertainment industry the past 20 some years about copyright infringement, and I haven’t heard anybody talking about not complaining because they released things and should just assume somebody is going to infringe.
Nobody forces me to choose an open source license. Nobody forces me to use code that is open sourced either. So it’s a curious attitude to take issue with a company that providing software under an open source license as a bad guy for complaining when people don’t follow their license but not the entity that is violating the license that gives them the right to use software in the first place.
I just want to know if MinIO contact Weka before this fall out or not. If not, then MinIO comes off as a bunch of psychos. If so, then grab your popcorn.
> At the end of the business day on Friday, March 24th – without warning, provocation, or even providing WEKA with an opportunity to review and respond to their claims – MinIO issued a public statement that made several false and baseless accusations against WEKA. It was the first time MinIO had made us aware of their concerns.
> Also NOTE: I need to remind you are under AGPLv3 violation here if you are using MinIO with proprietary purposes. Please consult a software lawyer for more information.
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
All that AGPL actually requires is that you share the source of your server, if you modify it.
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
So they would consider my Arq backups to MinIO a license violation? What if I access the GUI from a Windows PC? What about a Linux PC with a proprietary GPU driver?
From my perspective, only lawyers will get the benefits.
Neither Weka nor MinIO and definitely not the community.
The way MinIO accusation was worded, felt like this a reaction to someone saying "Boss, they've ripped us off and are earning from it and not attributing us, here's the proof, revoke their licence."
And the way this response is worded, feels like, "Check everything if we're using their stuff, get a lawyer to draft a response, and tell them, this is not the way to handle it."
So they are using an outdated version because they wanted to stay with permissive licensing.. Kinda fun to see the reverse of what usually happens to a community when a company-led project goes closed source. Definitely got no empathy for weka in this case tho. Also kinda fun that minio noticed they used an old version but forgot that they used permissive licensing at that time.
My experience is that it's often hard for companies (and people) to remember facts that are inconvenient for them.
If WEKA is using Apache-licensed software in compliance with the Apache license (as they claim) and is being accused of doing something else by a company with, let's just say, non-mainstream interpretations of license terms, I do have empathy and sympathy for them. (They claim that's what's happening. MinIO claims something else. Several of these claims are pretty much testable facts and I'm sure someone with time and motivation will test them.)
Having read the minIO allegations last week, I was fully expecting to read some weasel-y/half refutation here.
Instead, this is a strong refutation and, if everything WEKA says here is true, it is much less certain that they've done anything wrong and it seems like it's on minIO to prove that they've used minIO software subject to AGPL rather than only to Apache.
Previous HN discussion: https://news.ycombinator.com/item?id=35299665
Not a lawyer and this is an area where I genuinely just don't know, so I'd love to find a place that's explored this and could read more. But WEKA's statement #2 about the irrevocability struck me as odd in its expansiveness. My understand was that "irrevocable" essentially is about arbitrariness and time, that so long as the licensee follows the governing license as written then it continues indefinitely and the licensor may not ever simply decide to revoke it. But if the license terms were broken, then could the copyright holder then say the contract was broken? I didn't think "irrevocable" meant "every other aspect of this contract doesn't matter beyond damages because even if you blow off them all it can't be revoked anyway". Like if I signed a copyright license saying "in exchange for $50/year paid on Jan 1 each year for a period of 10 years I grant a perpetual, worldwide, non-exclusive, irrevocable copyright license to said work" and then they just stop paying after the first year does that mean the license is still irrevocable, but I can sue them for damages? Or is the contract done due to non-performance? Or would that depend on other clauses? What if the value exchange is more of a quid pro quo thing, does that became a rare instance where suit for specific performance would be an option, or would the court translate it to money?
Just really curious, I've seen that term language lots and never really gave it much thought until now. Surely this must have been fought over before. But I'd have expected a lawyer drafted response by WEKA to cite case law and any governing state/national law. Just saying "see the contract says irrevocable so that's that duh!" feels kinda odd.
--
Edit: Also to be clear, this is all purely dependent on any license terms actually having been broken. If none were then yes that'd be that. It just seemed like WEKA was making an argument that MinIO couldn't revoke no matter what.
I would interpret the Apache Licenses terms on breaking the license to apply to patents and there it is pretty clear that the party who starts litigation loses their own license. I don't think any open source license writer would intentionally want the situation where a middle-man causes a license to never be valid, and in this case it makes no sense as attribution is meant to be optional information.
I think the overarching point is that MinIO doesn't understand their own license. MinIO can't retaliate at will, except by suing. It also shows that - as it has been since the inception of the AGPL - nobody knows what the actual obligations are. MinIO seems to believe that interaction with MinIO, including calling the API, makes your code subject to the AGPL too. They say as much on their compliance page.[1] This is the opposite view of someone like MongoDB, who used to have their software AGPL licensed, but explicitly made their clients permissively licensed, because their expectation from the AGPL was that it is not infectious across process boundaries.
MinIO has taken this to other extremes, including believing that your config file for MinIO is subject to AGPL. Even if you assume that an implicit dependence on an API is making the calling code AGPL, MinIO has the least strong claim for their service being infectious, because their API is mostly a reimplementation of S3.
This is like the "are Java APIs copyrightable" case all over again, except the people who are threatening legal action didn't even invent the API.
[1]: https://min.io/compliance
"When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
I read through this as well & it is a joke. Under their interpretation if I run MinIO in the Linux subsystem that is part of Windows, I'd need to open source that.
Their interpretation is so extreme that using a browser would require me to open source the browser. If I used a shell script to test if the service is running, I'd need to make that open source too.
There is also this: "Passing configuration parameters to a MinIO binary instance constitutes making a modified version, as it does not produce an exact binary copy."
How do they know it doesn't produce an exact binary copy? Maybe my x86 computer is quantum based.
I'm pretty sure if I compiled MinIO with a proprietary Golang implementation, MinIO would want me to open source the compiler.
They also include their trademarked logo in the git repo., then try and tack on a supplemental policy about that later. Which you can't do, because the AGPL grants you a license to the logo.
In MinIO's original accusations, they have a line: "MinIO recommends uninstalling $Company entirely from your infrastructure."
When they wrote it, they set $Company to "Weka". Given the overall interaction and beyond-curious legal interpretations they are making and publishing, I read it with $Company set to "MinIO".
That was exactly my thought as well. If I were CTO I would require all teams to either use the Apache 2 version or discontinue use.
Also what I find interesting is they accepted community contributions without a licensing agreement. So they in fact can't switch to AGPL without written consent from all those contributors.
It might be the actual intent of the AGPL, which is why I completely stopped using it despite loving the spirit of how it is used by MongoDB.
The FSF has an example of how to comply with the AGPL (specifically the "prominent notice") when using an AGPL licensed proxy that is pretty illuminating. They recommend you just show a landing page with a big reference to the AGPL on the first request. I'd like to see them do that with an API Gateway.
If you read the minio blog, they give very detailed instructions on how to check that they are using the software. It shouldn’t be super difficult to figure out if any of the software being distributed today is post license switch.
So what we have here is a very detailed description of what they are claiming is a violation, then a refutation that is very strong, but also doesn’t actually address some of the claims in the other blog, as far as I can tell.
There is a blog from minio that says they switched to AGPLv3 in 2021. It’s unclear to me from the screenshots whether the software is later than that or not.
I hope someone takes the time to do an independent analysis, and a more neutral take.
Note that Weka redacted the language from the Apache license that says “subject to the terms and conditions,” which (not a lawyer) seems to allow a copyright holder to deny permission if they’re not meeting the conditions of the license. Whether they are or not is another question.
> they give very detailed instructions on how to check that they are using the software
It's not that detailed; it just says "there is a minio binary, and that's our minio". Okay, but what version is that? This is the crucial part, because Apache vs AGPL license makes a world of difference.
The Apache attribution requirement seems satisfied; perhaps not as prominently as minio would like, but there is no "prominence requirement". It fails to demonstrate any AGPL code is used, although according to some other comments the monio people have a unique and interesting interpretation of relicensing where they think they can retroactively relicense Apache code to AGPL. The claim that backporting any security fixes would trigger the AGPL is also suspect; typically many security fixes are simple in terms of code changed, and tend to be fairly easy to re-implement independently once you know the description of the problem. Either way, "it's likely that [..]" doesn't really demonstrate much of anything and is certainly not "very detailed".
In short, the minio post is vague and full of assumptions; even without this rebuttal I wouldn't put too much stock in it as it seems borderline FUD.
It does appear that their minio instance is the apache version. From the minio allegations the ui in the screenshots matches the pre-AGPL instance that I've kept around which was really just a simple bucket/files manager. I think all post-AGPL versions should be using the new ui announced here[1] in April 2021. The AGPL change was announced 12 May 2021[2]. The newer date in the out of date message could be due to them re-compiling the Apache version themselves.
However looking at the warp version in the screenshot, version 3.40 is licensed under AGPL.
[1] https://blog.min.io/new-minio-console/
[2] https://blog.min.io/from-open-source-to-free-and-open-source...
Yeah, I noticed that about warp too.
Didn't know that MinIO used to be Apache licensed. This [0] is the commit that changed it.
Since the S3 API largely remained the same over the last two years, it might be an option to use the Apache version, if AGPL is not possible. Of course, that would lack security fixes that were done in the meantime.
There is also a discussion [1] about that license change.
[0]: https://github.com/minio/minio/commit/069432566fcfac1f105367...
[1]: https://github.com/minio/minio/issues/12143
I hope more people start using AGPL from the get-go for their projects.
Companies are using AGPL not to benefit users or the community but to extort users and competitors into paying them. It's becoming fake open source.
Links please, also it's literally FSF and OSI approved, how come you call it fake open source?
https://github.com/minio/minio/discussions/13571#discussionc...
https://github.com/minio/minio/issues/13308#issuecomment-929...
Lets just say they have a weird take on what constitutes agpl-compliant
> the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users
Indeed, I don't think that's correct. That depends on the definition of "connecting" but I was under the impression that if you use MinIO on a server, the services that connects to MinIO don't need to be open-source. Only the server component that include MinIO need to be, and only if end users are connecting to that component. But correct me if I'm wrong.
According to commonly understood agpl interpretation you’re correct but not as minio understands it:
> Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations.
> The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO.
https://min.io/compliance
Seems like people misunderstanding the AGPL. (btw, I don't think this makes it fake open-source!)
Actual agpl is legit open-source, projects that try to twist agpl into more restrictive license are not
They're not extorting anyone. Or is anyone having paid product "extorting" their customer?
AGPL is true open source.
If you are in the business of making money like minio, you may as well just use a commercial license. No business will touch AGPL, they will just opt to pay for a commercial license.
> No business will touch AGPL
That's not true, I am in contact with many business using AGPL software. (Not Minio specifically)
Some businesses choose not to touch it, but that's their losses.
In fact, I am starting to ask myself the opposite... 'Since project X is MIT-licensed, do they need my contribution at all? Probably not, their license probably brings them many high-quality corporate contributions.'
Except these "high-quality corporate contributions" are kept to themselves for corporate reasons.
That's kinda why the AGPL is good; it lets non-businesses and open-source companies use it and encourages closed companies to purchase a license.
It’s not good bc it ties survivability of a project with a single company. If company folds so does your open-source project. Also imagine if linux wouldn’t be able to receive contributions from google and other big tech
That only works because Linux is run by customers, which the GPL covers, instead of provided as a web service. The AGPL is needed to encourage the same contributions for SASS products.
> That only works because Linux is run by customers, which the GPL covers
You’d be shocked to find out but linux is also run by cloud providers and offered as a service (in the form of VMs).
And unfortunately because of murky water of what constitutes “derivative work” in agpl (case in point - see the title of this thread) most companies won’t ever touch agpl licensed projects
MinIO had a large investment round at unicorn valuation at the end of last year. Watch them desparately move up market (or more like flailing around) to recoup that investment.
Meanwhile they cannot get their software to work on ext4 and it is apparently ext4s fault[0].
[0] https://github.com/minio/minio/issues/16602#issuecomment-142...
You're misinterpreting the bug, the software works but could lose data. However, the person who wrote the update about O_DIRECT and ext4 in production environments is just wrong.
If it loses data, does it work?
I mean, losing data is an extremely complex problem. What I'll say is that I've run large production systems with heavy load on ext2 and ext4 and did not find that it "lost data" more frequently than xfs, and in fact performed fine.
What's really important here is the person who closed the bug did some summarily, with little to no explanation, other than a reference to O_DIRECT not being supported in ext4, and therefore it "loses data" in production. This is an unprofessional comment to close a bug and I'd expect one of the co-founders of MinIO to do a better job. See https://ext4.wiki.kernel.org/index.php/Clarifying_Direct_IO%... for a discussion of the subletly of O_DIRECT. It's also not really required to make a production filesystem reliable, and would only be a tiny part of an overall reliability solution (because drives themselves often buffer and reorder their writes, sometimes even lying about whether data was "commited durably to disk")
I recall minio previously playing fast and loose with the terms of their prized infectious foss license, a github issue perhaps? I recall they believed that interfacing with their AGPL minio through a standard s3 interface with no source changes mandated open sourcing of the client application.
Maybe these?
https://github.com/minio/minio/discussions/12895
https://min.io/compliance
Trying to read and understand.
Basically they claim that even calling it from proprietary stack over s3 api triggers apgl obligations which most lawyers don’t believe is true but never been tested in court afaik. I wouldn’t recommend touching it for anything unless you want to play those games (or unless you want to pay for enterprise ofc =)) It’s fake open source.
Yup
https://github.com/minio/minio/discussions/13571#discussionc...
https://github.com/minio/minio/issues/13308#issuecomment-929...
They have a unique interpretation of AGPL, they also seem to think they can retroactively change the license from Apache 2 to AGPL on their old code. So even if WEKA forked the older version of MinIO when it still was Apache they would still violate the license. Which means anyone using MinIO without a commercial license needs to open source their entire application regardless if MinIO itself was modified or not. Well according to MinIO anyway.
This eventually surely lead to a lawsuit where this is tested, but in the meantime I would avoid MinIO at all cost. The commercial license to self host it is minimum $1000 per month for 100TB.
> If you distribute, host or create derivative works of the MinIO software over the network, the GNU AGPL v3 license requires that you also distribute the complete, corresponding source code of the combined work under the same GNU AGPL v3 license. This requirement applies whether or not you modified MinIO.
https://min.io/pricing
That sounds dangerous to free software/open source as a whole. Firstly, it's obviously not the status quo of how most people operate. Secondly, if they manage to win that claim in court it could encourage others to do the same.
It is, just listen to what they think modification of software means:
> To "modify" MinIO means to copy from or adapt all or any part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting derivative work is sometimes referred to as a "modified version" or we say that it is "based on" the earlier work. > Passing configuration parameters to a MinIO binary instance constitutes making a modified version, as it does not produce an exact binary copy.
and what derivative works mean:
> Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations. > The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO.
Needless to say that's all completely wrong and just FUD. I think the FSF should get involved they are damaging free software as a whole. Incredibly scummy company.
https://min.io/compliance
It sucks how they try to use their license as a weapon rather than a shield, these things are designed to protect projects from unattributed use or modification without releasing the improvements, not meant to be used as a big stick to force people into a corporate dual license to be able to use it for anything real.
Interesting - is this a name collision with Weka (https://www.cs.waikato.ac.nz/ml/weka/) or a commercialization of the project? I assume the former.
It is a name collision.
There needs to be a phrase like "play open source games, win open source prizes" for companies that get all upset when someone else monetizes their product.
I think it depends a lot on whether they’re upset because they failed to license the software in a way that would prevent behavior they don’t like, or because someone doesn’t seem to be complying with the license in the first place.
If you chose a permissive license and then are shocked when people actually take advantage of that, you kind of deserve what you get. If you chose a reciprocal license and someone just ignores it, then I think you still have a license to complain. Pun kind of intended.
I personally don't care for any open source sob stories by companies that use open source as a growth strategy. When you open source something, you will need pay the legal costs to enforce your license, the license doesn't enforce itself. It will most likely be a long drawn out process and will be a drain on your resources, especially technical ones. Don't complain when this happens, nobody forced you to open source your stuff to begin with.
Is anyone complaining? Seems like they're just doing what you suggest, enforcing the license.
(ignoring that they may be wrong about the breaches of the license, I'm sure the lawyers will work that out)
This is a curious attitude. No, the license doesn’t enforce itself. But usually when someone violates copyright companies tend to complain about it. Often that complaint is accompanied by a lawsuit, but I’ve heard a lot of complaints out of the entertainment industry the past 20 some years about copyright infringement, and I haven’t heard anybody talking about not complaining because they released things and should just assume somebody is going to infringe.
Nobody forces me to choose an open source license. Nobody forces me to use code that is open sourced either. So it’s a curious attitude to take issue with a company that providing software under an open source license as a bad guy for complaining when people don’t follow their license but not the entity that is violating the license that gives them the right to use software in the first place.
I just want to know if MinIO contact Weka before this fall out or not. If not, then MinIO comes off as a bunch of psychos. If so, then grab your popcorn.
According to the article, they did not:
> At the end of the business day on Friday, March 24th – without warning, provocation, or even providing WEKA with an opportunity to review and respond to their claims – MinIO issued a public statement that made several false and baseless accusations against WEKA. It was the first time MinIO had made us aware of their concerns.
It seems they might be psychos, they are misrepresenting what AGPL allows all over their issue tracker, for example this: https://github.com/minio/minio/issues/12829#issuecomment-889...
> Also NOTE: I need to remind you are under AGPLv3 violation here if you are using MinIO with proprietary purposes. Please consult a software lawyer for more information.
Or this: https://github.com/minio/minio/issues/13308#issuecomment-929...
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
All that AGPL actually requires is that you share the source of your server, if you modify it.
lol @ that second link. What a bunch of crooks.
> Also, just want to mention that the AGPL license requires that all software connecting with MinIO be 100% open source for you/your users not to be in violation of the license.
So they would consider my Arq backups to MinIO a license violation? What if I access the GUI from a Windows PC? What about a Linux PC with a proprietary GPU driver?
Under the MinIO interpretation if you browse the web interface with Microsoft Edge you need to open source your browser.
What's a good simple open source S3-style object store to use? Does one even exist? Do we need to start a project to (re-)write one in Rust?
- MinIO: more trouble than it's worth, as demonstrated here
- Radosgw of Ceph: not really suitable for a single server install
- Garage (https://garagehq.deuxfleurs.fr/): Their writing about the distributed design didn't convince me in 2022.
- https://lakefs.io/ Haven't studied
From my perspective, only lawyers will get the benefits.
Neither Weka nor MinIO and definitely not the community.
The way MinIO accusation was worded, felt like this a reaction to someone saying "Boss, they've ripped us off and are earning from it and not attributing us, here's the proof, revoke their licence."
And the way this response is worded, feels like, "Check everything if we're using their stuff, get a lawyer to draft a response, and tell them, this is not the way to handle it."
I hope both parties resolves it soon.
So they are using an outdated version because they wanted to stay with permissive licensing.. Kinda fun to see the reverse of what usually happens to a community when a company-led project goes closed source. Definitely got no empathy for weka in this case tho. Also kinda fun that minio noticed they used an old version but forgot that they used permissive licensing at that time.
My experience is that it's often hard for companies (and people) to remember facts that are inconvenient for them.
If WEKA is using Apache-licensed software in compliance with the Apache license (as they claim) and is being accused of doing something else by a company with, let's just say, non-mainstream interpretations of license terms, I do have empathy and sympathy for them. (They claim that's what's happening. MinIO claims something else. Several of these claims are pretty much testable facts and I'm sure someone with time and motivation will test them.)
Relevant:
https://news.ycombinator.com/item?id=35329882