Nutanix Response to Open Source Violations Allegations From MinIO

Posted July 26, 2022

To our customers and partners,

We have taken the time to conduct a thorough internal inquiry on the allegations from MinIO that we may have used software in possible violation of an open source license in our Objects product.

Our internal inquiry confirmed that we have only used MinIO code licensed under the Apache 2.0 license and we have not used any of the MinIO code licensed under AGPLv3. Since only the Apache 2.0 license applied to our use of MinIO code, we reviewed our attribution and notice compliance under the Apache 2.0 license.

During our inquiry, we discovered some inadvertent omissions in Nutanix Objects’ open source attribution and notices required under the Apache 2.0 license. For this, we are sorry and are committed to doing a better job of complying with the Apache notice and attribution going forward. We have been transparent during Nutanix Objects’ launch about MinIO use as can be seen in media coverage and do not feel this attribution omission increases risks to our customers. We have made updates to the technical information in the Nutanix Bible and to comply with Apache attribution and notices have ensured that the attribution notices are immediately available in our Objects Documentation. We will also be including the updated attribution and notices in the next release.

Also it’s important to note that Nutanix Objects is built using a combination of organic innovation and leverage of open source components including a limited set of MinIO components, and we have reduced the use of MinIO even further to just non data path components over the past year. In addition, software developed either in-house or by open source inclusion undergoes the same security oversight and review level at Nutanix. All products, and their respective components, are subject to our Security Development Lifecycle (SDL) as well as regular penetration testing and review to deliver the security our customers expect and deserve.

Posted July 20, 2022

Nutanix strives to implement unique features and innovative capabilities to delight our customers. In doing so, we recognize the value of the open source communities and take our participation and stewardship very seriously.

With respect to some recent allegations in a blog that we may have used software in possible violation of an open source license in our Objects product, please note that Nutanix stands behind our products, including any open source that we incorporate into them, and commits to indemnifying our customers against intellectual property claims arising out of the use of our products, should the need ever arise.

We will be reaching out to engage with the blog’s author promptly and will continue to update the community here.

Comments

Following our article a few days ago, Nutanix has officially answered.

To reveal this issue, MinIO wrote a blog and Nutanix replied via a blog post as well but both are official statements from MinIO and Nutanix.

This Nutanix official statement didn't mention MinIO in its first part, published July 20, 2022, but clearly implicitly addressed MinIO public statement about open source license violation.

The second and more recent part, published July 26, 2002, is clear as MinIO is mentioned and Nutanix recognizes and acknowledges some license omissions. It says: "For this, we are sorry and are committed to doing a better job of complying with the Apache notice and attribution going forward."

In reality, if MinIO didn't mention this, the situation will continue without any change. We're surprised as product management should know perfectly the situation and with this statement, they answered rapidly. It may happen elsewhere in the industry.

Since the introduction in November 2017 of Nutanix Acropolis Object Storage Service, we mentioned several times and unveil that Nutanix relies on MinIO, the most deployed objet storage. It should explain why Nutanix picked MinIO as well.

It could create some doubt on the market from lots of vendors around open source usage and integration, promoting stuff from outside as internal development. The good thing is that it invites now vendors and users to check licenses nature, alignment and compliance.

And finally it should change how analysts see and rank Nutanix for various aspect of its products and services as a classic criteria is to develop and control the software to be included. We saw the company appearing in object storage reports, should they continue to be listed, it will be interesting to see. If nothing change, it will confirm links and mechanics but let's stay positive.