On July 19, MinIO revoked Nutanix’s Apache v2 license to MinIO’s object storage suite due to violations of that license. This is an update to that post.
Nutanix admitted they violated MinIO’s Apache 2 license. The open source movement depends on the protection of intellectual property to ensure freedom for all the users. Nutanix’s behavior in this matter is concerning.
The Nutanix blog claims the notice failure was “inadvertent.” We informed Nutanix in December of 2019 that they were lacking the appropriate attribution.
During the intervening years, Nutanix actively misled industry and financial analysts, telling them they were no longer using MinIO code. This allowed them to participate in things like the Gartner Magic Quadrant, IDC Marketscape and GigaOm Radar – evaluations they would have otherwise been excluded from.
Nutanix claims that they only use “a limited set of MinIO components” which is “just non-data path components.” We would ask the following: if their usage is limited to just a few components, why is the entire MinIO binary present in the Nutanix Objects code? If the “limited set of MinIO components” is so small, why not just remove them?
Something doesn’t add up.
MinIO has revoked the license to Nutanix. We did so on July 19. We fully expect that the entirety of the binary including the “limited set of MinIO components” will be removed from the Nutanix Objects code completely. Until then, Nutanix should not distribute any Objects product containing our code.
Furthermore, Nutanix customers should know that their existing code is unlicensed and they should check their indemnification clauses. They should also check their security exposure. Despite assurances otherwise, there are and will continue to be security advisories. These security issues are fixed in the AGPL v3 code; we cannot speak to how Nutanix addressed them in the Apache v2 code. Customers should be asking questions.
We are committed to defending the open source model. We fully expect that Nutanix will comply with the request to remove all MinIO software from their products.
This 3rd episode of the MinIO-Nutanix saga should end with this last MinIO post.
As MinIO stated, Nutanix' behavior invites end-users, partners and vendors community to ask the question for themselves and if other potential issues could happen again. We imagine that Nutanix took this opportunity to check all their software stacks and services.
Again, we were and are very surprised by this attitude for such a company, a public one, well respected, that introduced some interesting solutions to the market since its inception but now the doubt exists.
As MinIO stated, the first notice was in December 2019, almost 3 years ago, and before that public information, Nutanix didn't change anything illustrating the battle and implicit pressure from a gorilla. Following this revocation, it will be interesting to see how Nutanix will promote its object service from now.
This latter had positive considerations on public report for this service and several serious analysts added them to their respective ranking and players lists even if one of their criteria, a key one, was the ownership of the software. We saw Gartner and IDC mentioned them, let's imagine the same report without Nutanix. Coldago Research refused and did not list Nutanix in its Map 2021 for Object Storage for that reason.
The good thing and effect of this partnership issue is that it creates a starting point for all players to check their open source dependency and license behavior and declaration.
We hope and expect that this 3rd episode will be the last one with things going back to normal.