Hacker News new | past | comments | ask | show | jobs | submit login
We apologize. We did a terrible job announcing the end of Docker Free Teams (docker.com)
592 points by mmbleh 78 days ago | hide | past | favorite | 307 comments

Previous communication:

> If you don't upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that period you will maintain access to any of your public images.

New communication:

> We’d also like to clarify that public images will only be removed from Docker Hub if their maintainer decides to delete them. We’re sorry that our initial communications failed to make this clear.

Given these statements directly contradict each other I am a bit surprised this is called clarification. It feels like they changed the actual strategy, not just the communication around it.

(from Docker DevRel team)

> Given these statements directly contradict each other

Actually... they aren't contradictory. The organization data will be retained for 30 days and is subject to deletion. That data includes the teams, memberships, etc. But, it wasn't clear what we were going to do about the images. Keeping the public images is important as many other images build on top of them.

> It feels like they changed the actual strategy

We recognize it might feel that way, so apologies. But, that's part of where we are recognize it wasn't clear the technical details... we didn't talk at all about the images. After the feedback, we recognized this, so wanted to make that clear.

If you are deleting the organizational data and effectively archiving [1] all the images, keeping only the option for public images to be pulled but not updated... then how will affected maintainers be able to delete their now out of date public images after the 30 day cut-off? You will have to retain enough of the organization data to allow that to happen.

Keeping the public images available in an archived state is okay for specific image references, but questionable for specific image tags and somewhat irresponsible for the `latest` tag. A `latest` tag that cannot be updated is ... worse than no `latest` tag.

Responsible maintainers that are unable to apply for open-source status or otherwise sponsor their usage of organization public repos should be advised to delete their public repos.

Responsible users of public images on Docker Hub need to have a way to determine which images will be affected, and which will continue to be maintained. Archiving the public repos gives an extended grace period, but users will still need to be prepared to notice if they end up using a now unmaintained, archived repo and migrate to alternative image sources.

[1] https://news.ycombinator.com/item?id=35188691

"somewhat irresponsible for the `latest` tag. A `latest` tag that cannot be updated is ... worse than no `latest` tag"

What's irresponsible is relying on a "latest" tag for updates.

The irresponsible thing is making it so the tag exists, but the organization behind it cannot update it.

Let's take for example the "jenkins/jenkins:latest" image.

Jenkins is notorious for having security updates, so in 2 years, if the latest tag is still there and frozen, it will be an attractive nuisance, causing people to download insecure software...

That's what the parent comment is trying to say. It's irresponsible to leave the image that implies it's "up to date and secure" because it's "latest", but is really insecure, and the organization owning it cannot change anything about that without paying $$. It's basically holding users of the image hostage.

You missed his point. He's saying "latest is an anti-pattern". Which is correct. Everyone should be pinning to specific versions or semver to avoid being accidentally upgraded to a release with breaking changes.

Yes, obviously making existing tags immutable is bad. Nobody is disputing that.

There are exceptions though. I'm the kind of person that would pin Jenkins to latest even if it is an antipattern. I'm way more concerned about security flaws than a temporary CI breakage. So for me: Everyone should be pinning Jenkins to latest to avoid accidentally staying on a release with security holes.

You are not only auto pulling fixes bit also auto pulling new security holes though.

My take on Jenkins with all its plugins is that it need to be properly shielded from external access anyways.

You probably want to pin to at least a major tag to avoid auto-pulling breaking changes at any moment but still getting security updates.

It's not* just `latest` tags, it will also affect any other image tag.

If you've been referencing org/image:tag where tag=major-minor, and gets updated when there's a patch, then that's going to stop getting updated.

Without either the tag being deleted (and thus your pulls failing), or going out to find updates on that container - you may not notice that it's fallen out of date and the image/tag is no longer being updated.

With the entire organisation being removed from Dockerhub, it sounds like there's not even going to be a way for people to say "We've moved off Dockerhub, our images/source/etc is now over here".

You'll just have to search and hope you can find where it's moved to.

is it?

sometimes I want a container running the latest version of something. maybe i'm integration testing my stuff against that release to make sure stuff still works. or maybe I'm hoping a bug was fixed and will version pin later.

i agree that production software should version-pin all the things, but latest still has a place.

Deleting 'organization data' absolutely read that they would delete everything. Changing direction and back pedaling with a non-apology is borderline insulting.

I understand the need to make money as a company, but it really is biting the hand that fed messing with open source maintainers

I have no horse in this race, but fwiw, I can see how this mistake would be made honestly. Organization data could be easily refer to just the metadata of the organization, and depending on how the product is structured[1], could feel quite different from public images.

[1] Disclaimer: I don't know how the product is structured.

They really think we're idiots!

Marketing people try to explain away mistakes with doublespeak. Isn’t it grand? They keep digging deeper at this point.

"Actually" is not a great word to use in the context of an apology.

We have learned that public images are NOT organization data!

With the organization data gone, will there be a way to update the retained images, like security fixes etc? If not, then this could become very dangerous.

Really, if they delete the org data and images can’t be updated, it might just be better to delete them all just to avoid these inevitable issues (maybe with a longer delay). Just rip the band-aid off and be done with it.

Relying on a free service for important work? Maybe they are right.

Silly us, I suppose we should stop relying on APT/RPM/what-have-you Linux package mirrors, NPM, NuGet, PyPi, Hex, RubyGems, Crates, ... too.

No. There's a huge difference between a volunteer driven organization and a for-profit company.

Their goals are completely different. The latter is not there to give you services. It's there to maximize shareholder value.

It's sad to see that HN can't even tell the difference anymore.

Neither npm nor NuGet are volunteer driven organizations. npm is owned by Github, NuGet is owned by Microsoft, and I'm sure that there are dozens of other examples behind many key pieces of free dev&ops infrastructure that are owned by for-profit companies.

Are they allowed to do it? Of course! Are we allowed them to call them out on their bait & switch tactics? Of course, what else are we supposed to do?

Just because something is common, like building a user base based on implicit promises and then pulling the rug once the service reaches critical mass, doesn't mean it should be accepted and normalized.

> npm is owned by Github

And GitHub is owned by Microsoft, duh. And they don't do this stuff out of the kindness of their hearts.

> what else are we supposed to do?

How about not falling for the same trap again and again instead?

> ... pulling the rug once the service reaches critical mass, doesn't mean it should be accepted and normalized.

Then don't sit on that rug.

You don't have to lecture me about the pitfalls of willingly relying on for-profit companies or the benefits of decentralization, but in the case of Docker we don't really have much of a choice unless you're suggesting that don't use it at all.

Images are published wherever the author decides that they're published and these changes are going to affect everyone who relies on an image that used to be hosted on Docker Hub.

We all rely on many free services and code. And, by the way, I'm a paying customer - I don't use their services but do this to support the pioneer!

I understand you are in a difficult position, but this is a bit absurd.

> During that period you will maintain access to any of your public images.

The only reason that sentence would be in there is if after that period you would lose access to the public images! And from Merriam-Webster, "access", verb, definition two: "to open or load (a computer file, an Internet site, etc.) a file that can be accessed by many users at the same time".

> it wasn't clear what we were going to do about the images.

No, it was quite clear; after the 30 day period we would not be able to pull the images. That's what the announcement said. It was not ambiguous. That may not have been the policy or what was intended to be announced, but the issue here isn't a lack of clarity.

(Also, letting the images stay accessible but disallowing any changes is only marginally better than just removing them, so the current policy - whether or not it's the same as the originally announced policy - is still terrible.)

I’m guessing they mean “write access.”

Write access is a subset of all access, so I don't think we can really argue that the plain meaning of the original statement was about removing write access.

But yes, a missing word is certainly a plausible explanation for how they issued a statement that meant the opposite of what they apparently intended.

But the original statement did not say all access, it merely said access:

> During that period you will maintain access to any of your public images

Assuming that the you in that sentence is the organization and not the general public (given the use of your organization earlier in the paragraph), the logical interpretation is that they meant write access here, and not all access -- since read access is not limited in any way to the you in that sentence.

Yes, I agree the original messaging was terrible. But claiming that the original can only have meant all access is not consistent with the wording of the announcement.

>Actually... they aren't contradictory.

They are. Your intent may not have been contradictory, but the messages received by everyone else were contradictory. You should own that if you are serious about doing better. Your intent doesn't really matter in these situations.

Yeah, really weird that after an apology announcement they’re still defending the original message at all. Not too hard to say “Yes, those messages contradict each other. The first one did not communicate our actual plan. The second message is a correction and clarification.”

It is important to understand that most corporations do not apologize, ever, unless there is a direct threat to cash flow.

This behavior is now demonstrated, it is the desired relationship, and it will be the baseline, all protestations aside.

The apology is meaningless. If this is not what you want, then take steps to limit the damage done to you, and do it now.

More cynically, the intent might be blaming image maintainers: since obsolete images that appear current are a problem, responsible maintainers will delete them before losing access; then Docker will be able to tell inconvenienced end users that the maintainers autonomously and unnecessarily decided to remove their images.


That's.... why they are saying it was poor communication.

They did in the OP link. To say now in comments "It's not contradictory" is not owning up to it being bad communication

What? That does not follow at all.

>>>During that period you will maintain access to any of your public images.

What did this mean in that case? That the images will continue to exist but the maintainers cannot update them? They'll just become orphaned?

(from the Docker DevRel team)

"During that period" refers to the 30-day period. During that time, the images are accessible. After the 30-day period, they will still be pull-able, but not able to be updated.

So, any public image where the maintainer doesn't jump through hoops gets frozen in time, unable to be updated, and starts accumulating CVEs? This sounds worse than deleting the image.

Any smart FOSS maintainer will find alternate hosting...

> Any smart FOSS maintainer will find alternate hosting...

I think that’s obviously the point of the whole exercise — pony up or leave. They’re just doing it in an annoying manner

Can't believe how soon this announcement came after the redhat "we're killing centos support now, best of luck". It's pretty clear how this industry reacts to major support changes with no heads up.

This is an important implication that needs to be brought up in the FAQ explicitly.

In other words, the public repos are being archived. If I was a maintainer responsible for providing up-to-date and secure images, then I think it would indeed by my duty to delete them, if I am no longer able to update them.

> If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply.

Specifically (emphasis mine):

> During that time, you will maintain access to any images in your public repositories

So, the logical conclusion, which literally everyone else on HN had, was that after that time you will lose access to images in your public repositories; access meaning "we can get to the image" in this context, because that's what people f-n care about.

Not to mention the other part, about how Docker will still have images available for pull that can't be changed, for which there is no way to "forward" user pulls elsewhere if the developer chose to not pay the fee; so in affect you're capturing their user base with old software and almost no way to know that.

"DevRel" at Docker failed this week. Just own up to it, take the hit, and don't be evasive. Evasiveness is shady and no one trusts that bullshit.

Delete them.

Keeping them read only is literally the worst solution. Old images that can't be updated and accrue security flaws, all while uninformed users see address still work and assume nothing needs to be changed.

Your corporation picked literally worst way to do it.

>> Your corporation picked literally worst way to do it.

I disagree. The worst way would be to make a blanket decision for all projects on their behalf.

This way they let the project maintainer decide.

For projects that don't get updated, it's better to leave them where they are.

For projects that are changing the maintainers can choose to delete (or move to a paid / OSS plan).

Choice is good, and giving that choice to maintainers is good.

The final act if goodness (and I'm not clear yet) is whether maintainers will be able to delete an image at some point in the future. Like say a year from now. Possibly by creating a paid account, and "reclaiming" that image.

Personally I agree that your advice to delete them may be the best option for most maintainers who have decided to leave. And they currently have the ability to do that.

Hence my assertion that your statement is incorrect.

You didn't address the issue of security. The problem with leaving it up to the projects is that projects won't necessarily respond, and we don't want the foundations of the next Mantis 26M rps botnet to get its start from PULL insecure:latest.



To any reasonable average person, these mean the same thing.

Absolutely not. For users, yes. For the person uploading/modifying the image, hell no.

So you’re going to continue to host images that have severe remote code execution exploits?

With no way for the person who posted them to ask people not to use them?

It appears that even after nonapology they still don't get the fucking problem.

The whole thing only needs docker infrastructure getting hacked because it used some of the now-orphaned containers to complete the shitshiw

I wonder what a court would think about who'd be legally liable there?

BigCo or GovDepartment gets popped via a known exploit against a fixed bug in an OSS project, but GitHub has prohibited the project from updating the explicable image they host without paying a ransom of $420/year?

> So you’re going to continue to host images that have severe remote code execution exploits?

That seems an great way to take some very significant reputation hits.

> Actually... they aren't contradictory.

you're on the Docker DevRel team, why are you talking like this? why do you feel the need to be confrontational? not a good look.

Somewhere in Silicon Valley are the people who were passed over for this job, yelling at their phones. Maybe they should get a call back.

Communication isn't about you meant, it's about what the person you're communicating to thought you meant.

Can the images be updated after the organizational data is gone? If not, is there a security concern, since vulns are likely to be discovery in future?

Face it, you're on heavy damage control and it just seems... untrustworthy.

sooooooooooooooooo orgs that didn't want to upgrade are still left with users pinned to old address of the image with no option to push security updates?

You are right, it's two different messages.

I always am annoyed by how companies apologize for the communication or the confusion arising after the communication. As if we, the public, didn't understand properly or are too dumb to understand what they tried to say. We understood perfectly and the _message_ was dumb, not the communication around the message. It doesn't feel like an honest apology.

Dude: "the message" is "the communication".

"No no no, the message in our contradictory communication is actually the message that you can interpret that contradiction with if you have this new piece of previously undisclosed information! How could you possibly have been confused by that? We are DevRel, we are communication professionals..."

rolls eyes OR, their marketing and DevRel departments and their engineering departments simply had a miscommunication; when it was realized, the present post was composed.

This kind of thing happens inside companies all the time, including the one you're probably working at right now.

No need to get up in arms over it.

People who are busy working aren't going to rush to HN to post about how they understood the announcement and are reacting as needed.

People who are bored (like me) will post rants and accusations.

No need to try and reframe or defend a bad decision. The should be held to account.

I don't believe it was a miscommunication. Even if it was a company as important as Docker inc, mentioning DELETING containers requires some care and should raise some flags at any serious communications department.

This is not just the wrong date for a convention in the newsletter. What impact does it have on the ecosystem they've built? Some really serious projects use Docker and even if they have their own repositories can they be sure the software they rely on can keep publishing containers?

Even at the tiny startups I've worked on I'm asked to proofread any technical stuff they want to publish, I assume Docker does too.

Nomenclature nitpick: "deleting images", not "deleting containers". Images are what they host. Containers are running instances of an image.

This is why I believe that they changed what would happen after the pushback and are trying to hide that they changed.

In reality they were probably just going to disable access to updating all along and then maybe someday delete things, but didn’t want to say exactly that.

The thing is, if images are still accessible, then they still incur egress costs for Docker, thus negating the potential cost savings from this move.

So at best, they just tanked their reputation for... minimal cost savings?

Egress is (relatively) cheap and the amount of it will dwindle over time as the images become more and more "out of date".

Both sound like "you won't be able to update them", so images sort of permanently squatted and growing tech debt, potentially vulnerabilities, etc. They should really allow for configuring the ":latest" tag to raise a 404 or something if this is what all that means.

By replying on a tag for your security you're opening yourself up to vulnerabilities.

Relying? I was assuming a 404 for "latest" might cause people to look into what happened with the image and find it's new home. Without locking them out of specific versions if they needed them for some reason.

Exactly ! I remember the original email mentioned deletion and now they say "we never said that".

Time to get rid of Docker in our world.

Please share a copy of that email.

Docker is sunsetting Free Team organizations

Free Team organizations are a legacy subscription tier that no longer exists. This tier included many of the same features, rates, and functionality as a paid Docker Team subscription.

After reviewing the list of accounts that are members of legacy Free Team organizations, we’ve identified yours as potentially being one of them.

If you own a legacy Free Team organization, access to paid features — including private repositories — will be suspended on April 14, 2023 (11:59 pm UTC). Upgrade your subscription before April 14, 2023 to continue accessing your organization.

If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply. At any point during the 30-day period, you can restore access to your organization account if you upgrade to a paid subscription. Visit our FAQ [1] for more information.

[1] https://web.docker.com/rs/790-SSB-375/images/privatereposfaq...

This is the exact quote that was already up-thread of here, and they absolutely are not claiming they "never said that"; instead, they are clarifying that "organization data" does not include "public images", and while that's confusing, I can appreciate why they didn't think it would be and--lo and behold--they are publicly apologizing for being so confusing and taking the hit for having done so.

Its the very next sentence after that one that they are claiming has been practically universally "misunderstood".

"If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply."

The cynical devil on my left shoulder is telling me "Some smartass in an emergency meeting noted the ambiguity in that second sentence, and suggested lets just claim that 'During that time you will maintain access to any images' did not actually mean it's obvious implication that 'after that time you will no linger have access to any images' and this is all just a big misunderstanding" - and that how we ended up with this new "clarification".

The even more cynical devil on my right shoulder is telling me some actively evil asshole intentionally wrote that ambiguous sentence to give themselves a 'get out of jail card' in case complaints went viral...

im looking forward to hipster posts about compiling and running your stack directly on a machine. probably one, and it'll be faster. that'll be great

Nah, Docker/containers are here to stay. But Docker, Inc. isn’t.

No no no, you build your stack, transpile it to WASM, and run it on your user's phones! WebRTC to run a distributed shared database across every phone that's not behind NAT! No servers. No databases. No electricity bills. Your backend hardware fleet automatically updates itself every couple of years _and pays_ for it itself!

Wait, that's hipster now? Isn't that a graybeard thing?

With what?

Podman is pretty good, and more or less a drop-in replacement.

Yep, already wrote an internal guide for my whole team to move away from docker into podman+quay.io by the end of next week.

Works like a charm on our macbooks, very neat.

Even if we need to pay, I’m looking for alternatives not Docker Inc. - There is only so much you can take.

I don’t want to rely on them anymore.

Any chance of seeing a version of that guide outside of your organization?

Someone on lobste.rs mentioned quay.io (maintained by redhat) as an alternative to dockerhub. Anyone have any experience with it?

Given the CentOS shit, I'm not convinced jumping from Docker Inc to RedHat is appropriately mitigating the risk of a corporate rug pull once they've decided its time for the next step in their enshittification plan...

It started as a CoreOS project and for a long time it was the only ebterprisey registry, and it included security scanning. Had some availability issues some time ago, but AFAIK today it's pretty good.

The software is nice, if looking to run your own - I'd recommend it over the typical Docker-provided incantation

Way more enterprise appropriate, for example - granular control on caches

If you want actual reproducable, actual portable software, Nix. Otherwise there are countless other OCI runtimes, cri-o, containers, etc. Kubernetes doesn't even use Docker.

What a thing, docker. I can't get over the staying power it has had despite... Everything.

How do I run the ecosystem the docker already has with nix alone?

It's not just the runtime.

I'm not certain what "ecosystem" means in this context, but you can build docker images using Nix. It's actually pretty cool because the image only contains the runtime dependencies of whatever you throw in the container. No package manager or build system is included. I've only tinkered with Nix, nothing in my professional life, so YMMV.

I'm super interested in the ecosystem you mean here. I'm assuming that you mean ecosystem around images like kubernetes, ECS, etc like the other commenter guessed?

If so, I think Nix being able to create docker images addresses that specific concern.

I can easily install many apps hosted at the Docker hub but how would I achieve that without Docker hub, unless everyone starts hosting things elsewhere but that'll take a good while assuming the community's consensus is to ditch Docker altogether.

> I can easily install many apps hosted at the Docker hub but how would I achieve that without Docker hub,

I'm sorry, I don't understand what you mean.

Can nix run images created with docker?


See https://nix.dev/tutorials/building-and-running-docker-images

Or do you mean run as in "use docker image(s) within a nix expression". Like if you have a webapp with a nix devshell but want to start the docker postgres container for development?

You can do that too, yes.

If you run a company wouldn't it be cheaper to just pay. This can't be worth the trouble changing everything


This is just a big "fuck you" to non company supported open source projects, as it turns out even ones labelled "sponsored css" on Docker Inc's own website.

Which are all clearly insignificant and unimportant, dumb little command line utilities and libraries like, say, curl...


Hi, ah... perhaps I'm an idiot for asking, but why does a near-ubiquitous system utility like curl need to be installed via a container? Is it not available on something like Alpine... and if so, then maybe it should be?

It's like saying I have to install `vi` via Docker... please don't tell me vim has a Docker hub repo too...

Reminds me of the gaslighting of the D&D community recently around changes to the license there.

It’s like watching a five year old who’s convinced he can fool his parents.

sorry what d&d license change?

WotC tried to retroactively revoke an open gaming license that had been in widespread use since 2002. They had a legal theory why they could do this, but that theory contradicted quite a few public statements they had made on record. IP lawyers had very mixed opinions.

Many TT-RPG players enjoy reading rules carefully and figuring out fun ways to "exploit" them. So everyone jumped on WotC's changes and dissected the implications. And many companies in the larger ecosystem quickly announced plans to ship their own games competing with D&D.

WotC decided to back down and to just use Creative Commons, which largely resolved the immediate issue.

My first reaction to the news was "ok, net positive, unmaintained images will get cleaned up and break builds, and fewer people will then be bit by vulnerabilities in unknowingly used abanoned layers". But I guess not?

That depends on what "organization data" means. Does that phrasing cover the images or just the existence of the organization in Docker (i.e. deleted organization)?

> During that period you will maintain access to any of your public images.

Pretty unambiguously means "after that period you may not have access to any of your public images".

Isn't that like a service like Github saying 'you will maintain access to any of your public projects' as in administrative access to one's own projects. After that period, you are no longer the owner of that repo and you no longer have "access". So I can still clone your github project but alas you no longer can commit to it.



Doesn't sound like it to me. If they meant "administrative access" they should have said "administrative access". They didn't, they just said "access" which unambiguously means just "access". Would've been very easy for them to make a one word correction somewhere in the dozen or so people who should have read this before it went out. But they didn't, they just said "access". If they wanted unambiguous meaning, they could have easily just said what they meant.

Methinks that's exactly what they did

Well, methinks otherwise. Lack of access does not mean files deleted. Organization data deleted means account deleted. Contention here was the claim that they have done a uturn but they never said they will delete images. This entire somewhat useless thread is about whether lack of access actually meant images deleted. (Administrative is a word that I used in my comment and a red herring to pick on, quite frankly.)

> They didn't, they just said "access" which unambiguously means just "access".

Not only that, they said access to your public images. Not "access to your account" or "access to your project". They explicitly mention "any images in your public repositories" as a thing that you will "maintain access" to "during that time".

The third sentence in their apology is "This impacted less than 2% of our users." What is that supposed to convey? It feels like a handwave.

'We're sorry we mistreated you, look how small you are to us.'

One of the difficulties of public relations is communicating to multiple audiences at once. One of Docker’s audiences are the paying customers who outside that 2% and would want some assurance that if docker makes errors, those errors are smaller in magnitude. This statement seems like it is aimed at assuaging the worries of that audience. Is it good practice? I do not know.

> One of the difficulties of public relations is communicating to multiple audiences at once.

Why not just release multiple statements and links?

"Click here for customized PR statement if you are a open source developer"

"Click here for customized PR statement if you are a closed source developer"

"Click here for customized PR statement if you are an executive who can't code"

"Click here for customized PR statement if you are a billionaire who invested in Docker but secretly don't know what it is"


Is that a serious suggestion? Who on earth would take the time to look through all of those to see which one best fits them? Companies have enough trouble getting press releases read already.

I guess then you could use some heuristics and ChatGPT to tailor the press release to the particular viewer.

For example if the user has a screen resolution of three 4K monitors side by side, using Linux, and coming from a Silicon Valley IP address, they are probably a developer. If they have the screen resolution of an iPad Pro and a New York IP address they are probably an executive on the go. The HTML5 accelerometer API might also say something about whether they're reading your press release in bed, while sitting, or standing. Use ChatGPT to reword the press release appropriately.

This is a genuinely terrifying vision of the future. Already things like prices may differ based one’s location. Adding content writing AI to the mix is positively dystopian.

That could be a more effective approach.

What if you are a "closed source developer" at work but an open-source one during your free time? What if you are a billionaire codes? What if… etc. You could make TL;DR's targeted at specific audiences, but you still need the same introduction for everyone.

ChatGPT> Could you rephrase the PR statement to the ad profile of this HTTP client?

Can't they say something like "a small and important group", yada yada, etc. Just laying out the % alone is derisive and pointless.

Well, the end result would be some one else complaining about that phrasing being insulting, or a lack of transparency or something.

There are 2 audiences: 1 with impact and 1 with 100% impact. The relative size of those audiences is irrelevant to the people in the audience.

The 2% they’re referring to are businesses that are using Docker’s hosted services for free. The majority of the outrage was from people thinking about the non-business users, that is, open source projects, which Docker unintentionally implied would be impacted by this change. Docker are apologising for their poor communication which made people think this change applied to more than just a tiny portion of the user base (who are probably happy to pay). They’re not apologising for the change.

Anybody who uses "docker pull" or "FROM" and not pointing at their own hosting or their own paid Docker account was affected as evidenced by the thousands of comments worried about the impact.

Well, they say they were never actually affected

> We’d also like to clarify that public images will only be removed from Docker Hub if their maintainer decides to delete them.

> Will open source images I rely on get deleted?

> Not by Docker. Public images will only disappear if the maintainer of the image decides to proactively delete it from Docker Hub. If the maintainer takes no action, we will continue to distribute their public images.

People may have thought they were affected, which is what they seem to be apoligising for.

They also are saying the maintainers will be unable to update the images after the 30 days. So the panic and bitching are perfectly deserved: https://news.ycombinator.com/item?id=35188691

For TEAM accounts that aren't "Docker sponsored open source" teams.

They should allow a TEAM->PERSONAL conversion for any open source account that doesn't qualify to be "Docker sponsored." But really this is a communications fail more than anything.

No. This was NEVER implied at all.

This only ever applied to the *Team* accounts. I have a paid non-team/personal account, but I am also aware that I could have a free personal account if I didn't need private repositories.

In other words, they weren't clear enough in their communication, which is what they're apologizing for.

But the internet outrage mob is going to yell about the evil of The Man no matter what I say, so I don't know why I bother...

> Less than 2% of Docker users have a Free Team organization on their account.

I don't think so. The quote above is what they say on that page, and I think that is a pretty useless metric. It affects 2% of all Docker Hub users, 100% of all Free Team users.

Ever wonder why Google outage notifications always say stuff like "this impacted 0.01752% of users"? Because if they leave that out, the PR department ends up flooded with questions from reporters about "how bad was this outage, exactly?", and less-diligent publications running "Google suffers massive outage" headlines.

It's really misleading though, as it only reflect the owners of the images. Presumably I should count as an affected user if I don't own the image, but try to download it.

I think that's what they're trying to say: you're not an affected user if it's not your image, because you can't download it in the first place.

Meaning I can't download it because their account was zapped after the 30 days? I could certainly download it before all this.

Nope - public images are not affected - you never would have been able to download a relevant image if you weren't in the private org.

I'm still confused. As I understood, for example, "httptookit" is one of the affected accounts.

They have public images here: https://hub.docker.com/u/httptoolkit

The original announcement said:

> If you don't upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that period you will maintain access to any of your public images.

That sounds a lot like the public images were subject to deletion. At the very least, subject to being frozen in time and not updated/updateable, which can be worse in some cases.

It's worse than just handwaving, it's straight up nonsensical. Perhaps it is literally true that only 2% of distinct accounts that log into Docker Hub have this plan, but for the vast majority of people "using Docker Hub" means "pulling public images from Docker Hub", not "logging into Docker Hub", so by a more reasonable criteria (say % of images pulled) I'm sure its at least an order of magnitude greater.

Yea. I don't think its necessary to even add that part since it seems the only reason they are responding is due to the negative backlash from the open source community. The fact that they added the % appears to me as an attempt to marginalize and compartmentalize the perception of this decision so it doesn't spread into the perception of their paying customers. Good luck with that.

(Note: I'm neutral on the main issue of whether Docker's moves are evil, etc. I don't really care)

To me this "This impacted less than x%" business is more of a classic Apple damage control PR statement, designed to convey to the whole userbase, "You almost definitely aren't affected, it's just a tiny number of whiners making all this fuss, and look how small they are!"

The most favorable percentage possible, probably. Rather than percentage of requests, percentage of active users, etc.

I think that was an attempt to describe that the change won't delete tons of projects like many believed, and break downstream users, not that it was too small of a group to care about.

Also, the 2% of the impacted users might have 50% of _all_ users as a dependency (just throwing out a random number for illustration), so I'm not sure that the "2% users" messaging matters to the recipients of that PR.

They are trying to use small number they conjured from the statistics to diminish the scale of the problem.

99% it is "the number of accounts affected" and not anything to do with number of downloads of images hosted there.

> 'We're sorry we mistreated you, look how small you are to us.'

They could choose not to share any data, which is what most companies default to.

You're complaining about something so small as if they aren't handling this entire thing beautifully at this point. They noticed their mistake, and corrected it swiftly to keep the community from bifurcating. What else do you want, exactly?

> What else do you want, exactly?

There's a world of difference between "This impacted less than 2% of our users." and "This impacted about 2% of our users."

The first implies that they have up to 2% of users which they don't respect, and undermines their apology.

I agree that it's good that they responded quickly, and I know there's a tradeoff between fast and perfect.

> There's a world of difference between

No there isn't. This is entirely subjective and you're acting like they said "Fuck our customers" when they just shared data. Anything you want to imply beyond that says more about you than it does about any part of Docker.

> The first implies that they have up to 2% of users which they don't respect, and undermines their apology.

Where does this implication come from? Why is Docker not given the benefit of the doubt when they are already extending an olive branch...? This isn't Microsoft.

I guess if you want to change things, you should shoot for a position in PR at docker. Otherwise, you look like a rube for acting as though they "could have done better with one sentence." I bet you're fun at parties.

Another attempt to marginalize. Maybe you should apply for their PR position.

An Olive branch is, "We fucked up, sorry about that, this is what we are going to do, or not going to do moving forward to fix the issue.

Fuckery is "We apologize but it was only poor communication and it only impacted a small and insignificant part of the community".

This isn't an Olive branch. Its damage control with an attempt to change perception. Its not even remotely close to trying to right a wrong.

You couldn't be more out of touch on this topic. Keep playing victim though, it's cute.

They said they intend to delete customer data if they don't switch to paid plans: this means "fuck our customers", collectively and indiscriminately, not only the selected foreclosed accounts but everybody that depends on them.

> They said they intend to delete customer data if they don't switch to paid plans

Customers who are running businesses and knowingly breaking the ToS? I'm not sure why businesses like Docker aren't allowed to defend their revenue.

It's actually pretty hilarious how many of you are coming out of the woodwork to attack Docker, they are not the enemy in any way, shape or form and if they disappear you're gonna miss them.

Personally, I expect what I paid for from a free service, and I consider depending on gifts and uncertain platforms a reckless risk.

But, as a business whose prosperity depends on the goodwill of masses of users, Docker can and should "defend their revenue" in a way that minimizes collateral damage in the form of

1) gratuitous bullshit, untrustworthiness, lack of transparency, and perceived evil intentions (e.g. their second announcement)

2) technical uncertainty and security risks (for orphaned images of uncertain status)

3) inconvenience, without additional revenue, to the vast majority of users that aren't included in this the shakedown

There are rational businesses and there are businesses that drive them away their customers; in the long term, the former tend to "defend their revenue" much better.

How is that your read here? It feels completely arbitrary

It feels like people just enjoy digging into outrage - this sort of nit picking at specific phrasing in communications is baseless, and happens for literally any incident where an apology is issued.

Its wild how the same people will complain that some corporate missive is completely content-free while at the same time punishing any attempt at earnest communication by scouring the missive for a raised edge to take offense at.

There is no earnest communication in that message, that was damage control with an attempt to change perception.

The 'problematic' phrase is right before the section detailing who is not impacted - which is what many people are going to want to know! "Wait, should I be worried about this?'

This is an example of my point actually - these types of posts are magnets for people that cannot be pleased.

Agreed. It's frustrating to see companies try to downplay the impact of their mistakes by using statistics like "less than 2% of our users." Companies NEED to take responsibility for their actions and show genuine empathy for those affected, rather than trying to minimize the impact of their mistakes with vague statistics.

This is how i interpreted this. I feel this was a box ticking exercise with 0 emotion.

The "2% of our users" is indeed misleading since most users don't run organizations, and it's mainly orgs that were affected. A better metric would be what % of orgs were impacted.

I'm guessing this sentence is aimed at current and future investors.

Is it even possible that there will be future investors?

Compared to the recent apology from Fly.io [1], Docker's corporate apology is terrible. Fly's was open about the struggles they faced and how they feel about it, empathetic to their customers, and come across as genuine (also reinforced by mrkurt's active follow up both in their community, as wel as here on HN).

Docker's on the other hand is none of that, and full of corporate PR red flags:

- "This only impacted less than 2% of our users" signals that they're not really sorry. It tells me they see this as a 'loud minority' problem

- "This does not affect [list of 6 other types of subscriptions]" -> signals the post is partially being used to promote the other subscriptions. Reinforced by the "what are the benefits of a Docker subscription" at the bottom.

- It's still unclear (to me) what is the actual implication for some of the non-official open source projects here. On the one hand they say: "Public images will only disappear if the maintainer decides to proactively delete it from Docker Hub". Further down they mention "we will defer any organization suspension or deletion while the DSOS application is under review". Clearly they do intent to suspend organisations, but maybe let old images remain? Then the problem remains, as it prevents future updates.

Despite what it tries to say in words, (for me) this post just reinforces the initial signal of both not understanding and not caring about the open source usage.

[1]: https://news.ycombinator.com/item?id=35044516

> It tells me they see this as a 'loud minority' problem

I don’t think that’s what it is. I think it’s minimizing. Don’t worry, it’s only 2%.

The problem is that’s 2% directly. If my organization has a Docker license, we’re not effected because we’re commercial.

But that’s not true is it? If we use Docker there is a very good chance that we use or base some of our images on open source images. We’re effected indirectly.

I admit it’s probably not possible to measure, maybe even estimate.

But the total number of organizations this change will be a problem for us way more than 2%. And they don’t want to admit it.

If they are listening to feedback, first is that a 30 day timeframe sends the message that "we feel our profit is more important than whatever else you are working on, so much that you should either pay us, or if you cannot afford it, immediately halt your other activities to reduce our costs." None of that builds trust.

As someone affected, I'm ok with paying.

* I don't like feeling tricked

* I don't like feeling held hostage

* Make your changes in a manner that preceding the announcement with "SURPRISE!" wouldn't be fitting

This was done with no notice--basically a bill for RIGHT NOW with no warning, and it seems that the only reason for that was greed? Docker just hit 100 million in ARR. I mean, really, you can't afford to role this out gracefully?!?

Docker Hub has become deeply integrated into the workflow of development/pipelines/runtime environments/etc. Announcing something like this with 30 days notice is extremely insulting. They're a software company (maybe not...?) and should be well aware of the amount of interruption that a 30 day notice on something like this causes.

I can assure you that Docker is not trying to protect any profits. More like... slow the cash hemorrhage.

Docker is over 100 million ARR from what I understand, so that's a strange thing to say.

But what’s their debt and running costs?

so it is impossible that such a thing could be eclipsed by revenues?

I don’t think I said anything about possible or impossible. But their revenue is only one part of the equation. If you don’t know the other numbers, it’s not particularly useful to say here’s a big number they must be profitable.

how can you "assure" that?

Ah, good ole Docker.

When they did the "it's not free anymore" rugpull on Docker Desktop, I couldn't use it at work anymore since they wouldn't invoice us for less than a 50 seat license. Unfortunately, a lot of businesses won't buy things without invoicing for legal reasons.

It really upset me because I had a pretty solid workflow with docker desktop on a mac. Now I can't use that anymore. I am not surprised they continue to make foolish moves trying to monetize their software.

I get it, you need to monetize your software... but this is dumb.

Hey! They decided to do invoicing, after all! When they couldn't find a way to take purchase orders in the initial license obligation round and we were going to have to go through a third party licensing service to pay, we did a little math, and realized that it was cheaper to let one of the guys on the DevOps team create and maintain the customized WSL install option, with the bonus of steering the developers to our internal registry out of the box, because we really don't want devs pulling stuff directly from Docker Hub without any sort of traceability, much less (shudder) pushing anything there. The prospect of having to manage hundreds (or more) of user accounts with SSO "on the roadmap, pinky swear" pushed the math over the top.

Many months later, this is still proving to have been a good call.

Moral of the story: do not try to shove a category change on large corporations without having basic things large corporations routinely require in order to give you money, especially if replacing you requires a lot less spend on extra internal labor and material than you're demanding to be paid.

Yea the WSL option is what most places I know are doing. Unfortunately, I like using MacOS so it won't work for me haha. I don't trust the team writing the generic free version for Macs.

On the other side of the spectrum, working somewhere that would have purchased thousands of licenses, they were equally unaware of what larger corporations want or need for such arrangements.

They were so blinded by giant dollar/Euro signs when insisting that we take loads of those ~20/month licenses that included a lot of things that are anti-features to most enterprises (we need to prevent people from pulling/pushing to Docker Hub!) but left out things that would make it less miserable (SSO/SAML), that they couldn't see that absolutely no one was going to put five figures on their corporate card each month.

I see that they now have those things, but it would have been very clever to have asked a few potential customers about these things ahead of time, and made sure they had them as soon as they stuck their hands out... or had a few ex-corporate types around to run this all by before telling us that we will be buying Docker licenses within 120 days for everyone who happens to have Docker Desktop installed. At least they were savvy enough to realize that large companies couldn't have begun to cope with much less notice, but as it was, the rough start with a looming deadline was enough motivation to get us trying alternatives right away.

Ah, the good ole "my company won't pay for a $5/month tool that I like because the tool maker won't invoice my company for less than 50 users, so instead of paying $5/month myself on my credit card, I literally 'can't use it anymore' out of principle."

That's literally how it works in big corps and how it should work in general - company property should be paid for by the company, and the companies liability in case anything goes wrong.

You should not be giving your $x (it does not matter that its only 5) to the company.

That’s not the problem. The problem is that companies forbid their employees from using it if they can’t pay for it.

I love big enterprise, where ten people can have daily meetings for a month to decide how to pay a few hundred dollars.

Yes, this happened to me. More than once.

No, you can’t just pull your wallet out and offer to pay for it yourself with cash. You’re not an “approved supplier” and it’s the supplier that needs to provide warranty support.

Also if you pay for it yourself, then you’re providing it as a “gift” and that could be construed as corruption — unless you’re reimbursed, but it’s above the threshold…

This whole thread has given me flashbacks to that time when the project manager broke down in tears and put his credit card back in his wallet…

And surely that's a problem for the employee's company, only because they're the ones imposing the restriction, not some external third party.

Big companies have people around whose sole job is to make sure that all software that needs to be licensed, is licensed, and that these licenses are the exact ones that meet the providers' rules. This usually means that you are not allowed to use a personally-owned license on a company computer.


Because the consequences of getting this wrong can be far more expensive than whatever productivity gains you, the individual employee, claim to be achieving.

Docker, for example: we had absolutely no interest in individual users directly accessing their online features (we took a bit of trouble to block them, in fact), so theoretically, the free Personal licenses should have been fine. No.

Ok, so just have each Docker user pay that $5 themselves. How do we make sure every person who has Docker installed on their PC really is paying for a license? Even if we gave them all corporate cards, and Docker was going to be cool with several hundred accounts (or more) from the same domain not being on the "Business" plan, we then get to set up a process with Accounting to make sure the PC scans match the payments.

This might all sound ridiculous to start-up/boutique employees, but is a basic fact of life in corporate IT... which Docker was hoping to get a lot of money out of.

What are the 'consequences of getting this wrong'? Surely if a company has 'y' users all wanting to use a software product that company purchases y+1 licenses just to make sure they are covered. The problem is a company wanting 'y' licenses more often than not want a y where the y is 1 and they're not looking to engage the thought of making a y+1 purchase. However, they still want to be invoiced for the purchase and have their payment come 30 days later, which will require many additional hours chasing that late payment that comes 45 days later. Yet somehow, they don't understand every scammer uses the exact same approach, but of course the scammer never bothers with the pretense of offering to actually pay any late bills, so in fact scammers cost the software provide less in the way of lost time.

If your company can credibly show that we knew that there were instances of your product running on several hundred of our PCs, but we can't prove that we were paying for the licenses, you can sue us for a lot more than those licenses would have cost, depending on where you're located and where we have official presence. You might not win, but you're still going to cost us a lot of money and time. Relying on tens of thousands of users to potentially manage their own licenses for thousands of products would be an absolute nightmare.

But why do we know what users have installed on the PCs assigned to them, aside from the licensing? When your product has a security hole (and unless your product never, ever talks to the Internet or other devices, it will someday), we need to know exactly who has it so that we can force them to patch. Again, tens of thousands of users with potentially thousands of products that need to have security issues tracked. Nightmare.

So if your custom software house** doesn't want to sell us your product in a way and provide management mechanisms that we feel comfortable with, then we'll find one of the many that does, or is happy to work with our preferred resellers. Or we will help departments redesign their processes to not need it.

Corporate IT cares deeply about what managers want, as they pay the bills. If they want your product for their subordinates, we will work to make that happen in a way that keeps our legal department and IT security management happy. Corporate IT cares deeply about users being able to use the products and services their managers are paying for. Corporate IT does not give a fig what individual users want, if they can't get their managers to pay for the cost of us dealing with that new product.

Negotiating license agreements and tracking usage, as I said before, is a full time job for several people. I am fortunately not one of them, but I've worked with them when supporting products within the company. Large companies do not employ these folks out of charity.

Corporate IT and corporate life is certainly not for everyone. Corporate IT doesn't work this way because we're humorless prigs; it works this way because there are billions in sensitive data and intricate production processes to protect, and tens of thousands of well-meaning folks who are competent in things other than infosec potentially providing network access to people who are not well-meaning.

If you want that sweet sweet corporate cash, figure out how to accommodate their purchase and IT management processes. Software resellers may be a good compromise. If you don't want to deal with corporate purchasing, don't be upset when a lot of your potential users end up with someone else's product.

** Anything smaller and more niche than SAP may as well be a "custom software house".

Too late to add this edit: now that I've thought about it for a bit, I think that many of our software purchases are via software resellers. One of the main reasons is that getting a new vendor approved by Accounting for payments is a slow, painful (to us) process that involves Legal (contracts!). As I'm neither an accountant nor a lawyer, I'm willing to accept that they have good reasons for their processes (preventing me from easily funneling money to a relative, for example) and just see it as another fact of corporate life instead of railing against it. In return, they do us the courtesy of accepting that they can't just install whatever they like on their PCs.

Legal is often still involved when it comes to new software products, because, among other things, there's GDPR. Oh, and Works Council.

My main point remains unchanged: relying on tens of thousands of end users to manage their licenses is something that large enterprises just can't do, so we end up with rules that seem draconian, and you, the hopeful seller of software/services to be used in corporate environments, will benefit from understanding how we work, even if you think it's stupid.

It's pay out of your own pocket vs be less productive yet still paid same by company.

What's the workflow? What more is Docker Desktop than a way to get the Docker CLI on non-Linux machines?

I get invoices for my $5 Pro plan. Do you mean they wouldn't take the order on credit?

I assume they mean Docker issues an invoice which the company's AP department can then pay by either cutting a check or ACH transfer. At least that's what we had to get all our vendors to start doing when the company I worked for killed off corporate cards and quit letting employees expense things like this.

I have many issues with Docker the business but, have to say, this situation sounds like they might not be the problem quite as much as the employer.

Meh maybe. But it's actually a pretty common restriction for whatever reason in large enterprises, and not something your average dev can influence.

Probably means they would not do NET30 or the like terms to fit with their corporate purchasing workflow.

Pretty hard to get NET30 invoicing on a transaction which is less than $450, especially if you've chosen the monthly plan. It's just not worth the labor chasing an unpaid $450 invoice every damn month.

Isn't that what resellers are for?

Not sure how this changes anything.

Their open source program [1] only grants a free 1-year Docker Team subscription. After which time the whole system is unusable. And most of those features aren't what open source teams even need which is surely just basic multi-user access.

They really should have just tightened the entry criteria for their open source offering if they were so concerned about it being misused.


Too little, too late, everyone i know is looking for ways of leaving docker for good. This last announcement just cemented the lack of confidence in the platform. As someone put it to me recently:» a bunch of execs trying to squeeze out a dying platform for a bonus before moving to another money sqeezing project.» At work we made the plan to leave today.

(Docker DevRel team here) For clarification, the program grants one year of access, but is indefinitely renewable as long as the program is still compliant with current criteria.

Thank you for the clarification. For reference, are there any open source projects you've seen that suddenly change course to being paid products and would lose open source status according to Docker? Any Linux distros that suddenly went closed source? Are there any sort of general public licenses that might preclude projects from even doing so?

Say a distro sells laptops with the distro pre-installed while also providing the same image online and might also sell consulting services to companies utilizing the distro. According to my undestanding of the terms of Docker's opend source program, even if said distro was fully open-source and a run by a non-profit they would be non-eligible to participate in the program.

Is this renewal automatic? Having to go recertify with docker once a year for my tiny open source project that we happen to have an image for is literally infinity percent more hassle than I would like to deal with.

I think I read that it prohibits making money, like consulting on the OSS product. This prohibits a lot of OSS teams.

Recent and related:

Docker is deleting Open Source organisations - what you need to know - https://news.ycombinator.com/item?id=35166317 - March 2023 (727 comments)

Docker is sunsetting Free Team organizations [pdf] - https://news.ycombinator.com/item?id=35154025 - March 2023 (105 comments)

Docker is sunsetting Free Team organizations - https://news.ycombinator.com/item?id=35153949 - March 2023 (12 comments)


Elixir: Docker now charges open source orgs $300 - https://news.ycombinator.com/item?id=35166579 - March 2023 (38 comments)

Ask HN: Docker Alternatives? - https://news.ycombinator.com/item?id=35171491 - March 2023 (5 comments)

> This impacted less than 2% of our users.

I think they mean it impacts less than 2% of user _accounts_. Not every account is created equal. If you were an open-source org with millions of image downloads a month, having your org deleted would have an outsized effect on the community. Many more Docker Hub users than 2% stand to be affected by these changes, even if the nominal value of 2% of user accounts is accurate.

Also, this "apology" does not feel even 2% apologetic. "I am sorry you misunderstood us" is not an apology. They're running the seldom used "docker pull gaslight:latest" command.

Oh my, have you ran a `docker search gaslight`? I just did and it looks like docker hub is being used to distribute ebooks? WTF... This is why we can't have nice things....

Not quite distribute, it feels like spammers are using dockerhub pages as a free publishing platform for posting links to even more scummy websites in promises to get free ebooks and full hindi movie downloads and my favorite "cleanmymac-x-443-cracked-activation-code-hot".

Docker probably should've started their purge there, not with FOSS orgs...

I stopped using Docker entirely after the Moby mess, when Podman came around without needing a daemon, and better runtimes became available for Kubernetes. It's been the inferior product for a long time, only kept alive by the dev mindshare they gained early on.

It's synonymous with "containers" for a lot of people. I know a lot of groups that use docker to build containers and other infra to run them.

Too bad the company screwed up turning their technology into a real business, or taking a graceful massive exit when they had the chance. Their VC's doubtless pushed them towards an IPO when they didn't really have a solid revenue plan.

Once they started nagging / forcing / tricking people into paying for what they had offered for free, they company was doomed. The "+WASM" branding all over their website reeks the sad desperation of a has-been coulda-been. Sorry folks, you built cool and important technology, but that's not good enough if you're greedy.

> You can migrate from a Free Team organization to a Personal account by opening a support ticket. No action will be taken against your account while your ticket is being processed.

This company raised $400M+ and they cannot be arsed to implement a feature to change account types.

I have nothing against Docker Inc. But it's worth noting that this kind of screw up happens when your company, from the top down, does not practice a culture in which empathy/compassion for people comes first.

In all areas of the business, everyone should first be thinking, how does this impact the people using this thing? Have I talked to them? Do they understand what's happening? Do they have concerns? Have I fully addressed them? Is this going to make their lives harder, or will this be scary, or confusing?

It's my biggest pet peeve. Both as a user and an employee. If you don't take the time to care, it's really obvious, and an easy way to piss people off and inconvenience them. From a business perspective that drives customers to your competitors and makes employees quit. From a personal perspective, it's just a dick thing to do.

Reading carefully about image deletion:

* "public images will only be removed from Docker Hub if their maintainer decides to delete them"

* "Public images will only disappear if the maintainer of the image decides to proactively delete it from Docker Hub. If the maintainer takes no action, we will continue to distribute their public images."

This sounds good, but it would be better to explicitly say "if you opt to let your free organization be suspended, Docker Hub will continue distributing your public images indefinitely anyway". It feels like there's a loophole here where if a public image comes to have no maintainer - because they abandoned its organization - then it no longer benefits from this assurance. That seems unlikely, but given how this change has been going so far, it's tough to give Docker the benefit of the doubt.

Would be worried that the old images will still be distributed, but if an open source maintainer needed to push an update (e.g. for security reasons) they'd need to sign up to the paid account

> What are the benefits of a paid Docker subscription?

> Docker Pro is ideal for individual developers looking to accelerate productivity.

> Docker Team is ideal for small teams looking to collaborate productively.

> Docker Business is ideal for businesses looking for centralized management and advanced security capabilities. Visit our pricing page to learn more.

I'm not quite sure that answers the question, just how docker would like it's customers to self-discriminate.

Two solutions that don't seem to be mentioned:

1. Let any user have how many "free teams" they want, but restrict the image size (under 1GB?) and/or downloads (under 1,000/month?). Maybe let the community vote for open source images exempt from this restriction.

2. Run a free link redirect service: user registers my-team on hub.docker.com, links my-team/my-image with their preferred registry my-registry.com, client-side docker pull my-team/my-image resolves automagically to my-registry.com/my-team/my-image.

3. Let paying teams sponsor free teams. Maybe allow multiple organizations to sponsor a single team. (The free team should be able to refuse sponsorship on a case by case basis)

Ugh. We war-roomed, and subsequently kicked off a big project this morning to replace most, if not all, docker in our infrastructure and dev systems with podman.

The first messaging clearly read to me that they would delete everything (including images), the second just seems like they backtracked internally despite claiming a different meaning for the original message.

I have lost trust in this company.

If Docker had any sense of leadership and community, they would have predicted that this petty extortion would have caused severe damage and loss of trust.

This is irrational, self-destructive greed, not the more usual transparent and regretful removal of generous pricing plans and unsustainable services that dotcoms have made the public familiar with.

Not much has changed then.

If you don't meet the strict criteria of the Open Source Program, for example you are a for profit company publishing an open source image, you can't upload new versions of your public images. Your images are one CVE away from becoming useless.

If you do meet the criteria, they will build images for you. No way to have your own build process. All artifacts are made public.

I don’t get the hate of Docker as a company. Yes, this is crap technology that incentivise resource inefficiency at its peak form, but this is how stacks like ruby or python are at least working. Still, docker org invented all the tools, gave them for free, promote, document and support them, gave free global registry that can be filled by anyone and contains petabytes of trash, with free thousands of terabytes of egress monthly. They gave away all their intellectual work to RedHat/bazaar and participate in development of “open standards” for free. And now when they take away some expensive toy, developers became hostile and call them unreliable.

i love Docker, but i think people by and large forget that OCI images are a thing, and that ultimately we are talking about slightly complex tarballs here.

i do think Docker is squandering an insanely privileged position here, even if i'm not particularly invested/dogmatic personally about Docker as a brand. only every so often does a company become a member of the popular lexicon -- an Uber instead of a Taxi, a Kleenex instead of a tissue -- we pull Docker images every day even though they are actually OCI images, or hosted on GitHub.

this privilege is insanely huge and it is one granted through technical aptitude, intense problem solving, commitment to open source and tooling, and so on, that the Docker project displayed for its first two decades or so of existence.

where it fell off that wagon as a brand, and misaligned with its technology, i don't know. this is just one person's 2c.

This is my reason why I hate them: https://lwn.net/Articles/676831/ and specifically this: https://lwn.net/Articles/676938/

All the discussions from the Docker team regarding SystemD feel like they want to push Docker Swarm and see SystemD as a threat to their business model. It would not supprise me if they downtalk Lennart Poetterin on a personal level.

Also to this day if we want to setup complex test scenarios we need the --privileged flag to run Docker in Docker.

i think the hate comes from them squandering a position of their magnitude, built upon the investment and trust of the open source ecosystem.

github set a precedent with free public repos, but they traded the cost of supporting that for being the canonical way to store source code online (or as close to it as one company can get).

docker accesses this privilege but then demands that open source people, who are by definition not paid for their work directly, must pay to host images on their branded platform, the one which guarantees them a place in the technology hall of fame.

the double-punch of that failed remunerative trade ends up feeling to that community like a betrayal; not to mention the self-defeating strategy it embodies, since a technical solution here is not only possible, but would be expected from a company granted that position and privilege in the software supply chain (technical aptitude / excellence).

at worst it is a betrayal, at best it comes across as lazy, because they are not reaching for a technical solution which can satisfy every constraint; they are satisfied launching one that merely satisfies their own needs, to the detriment of the community that supported them.

This isn't a good clarification. While Docker says they will not delete images, it doesn't clarify whether they will delete organizations. Indeed, under "Can someone else squat my namespace?", it says "if your organization is suspended, deleted, or you choose to leave Docker voluntarily", which implies that orgs may also be deleted involuntarily. This is still a problem.

> You can migrate to a Free Team organization to a Personal account by opening a support ticket. No action will be taken against your account while your ticket is being processed.

Support request sent, I wish there were more clear on what "Topic" and "Severity" this kind of request falls into.

#HugOps to the tech support team that's going to be flooded with requests.

Faq does not include the most asked question: "Why the fuck are you still so bad at this?"

(from the Docker DevRel team) Ha! Just had to say... this gave me a good laugh! We're trying to get better... I swear! Comms are hard. We'll get there.

Appreciate it. I'd advise to try hard to not be dismissive of even the more snide and flamey comments in this thread - their interpretations are valid from what I see posted so far.

I already moved my relevant containers to GHCR.

Side note - Google's "crane" CLI tool was marvelous for this purpose.

> How can I see if I’m affected?

> Please consult the Organizations page of your Docker account; any affected organizations are labeled “Docker Free Team” in the “Subscription” column. Less than 2% of Docker users have a Free Team organization on their account.

Interesting theory, but no; my account is paid, but I'm using third party images that are rather harder to verify.

It's almost becoming a cliche for companies to release damage control follow-ups like this after they pull a bait and switch.

It's always "we're sorry that we didn't communicate our bait and switch effectively". Not we're sorry that we pulled a bait and switch. We're sorry you didn't understand the value in this bait and switch. It's your fault, actually. But we're sorry you're angry. Now stop giving us negative attention.

This speaks to the product culture at Docker. They are unable to admit they are changing direction after negative customer feedback, so they are pretending this was always their plan, and shifting the blame to their customers.

It is similar to pseudo-blameless engineering cultures, where engineers won't admit to bugs, or update the status indicator, least they face the shame of writing a post mortem, or having it brought up in their performance review.

Ah, but there’s no such thing as negative press. Look how many people are talking about Docker now!!

On our team we are mainly talking about how will we divest of Docker.

> No such thing as negative press

Tell that to Silicon Valley Bank after that WSJ article that started the run lol

This is somewhat an extension of modern politics, which is largely seen by political professionals as a problem of "messaging", where policy details are secondary to how people can be persuaded to think about those policies.

The forces of capitalism reward this, it will continue to happen as long as we pick pure capitalism as a system, and keep assigning values to companies purely on financials with no consideration toward their ability to empathize and communicate.

There's no such thing as "pure capitalism" – not if you're talking about things that exist.

In an ideal free market with perfectly-rational omniscient actors, this issue wouldn't occur. I don't think you even need the omniscience: trust, memory, reputation/vouching and basic game theory should be sufficient (though I haven't proven this). Alternatively: a free market with contracts, where all things go through the system, would work.

In the real world, the system consists of people, each of whom is optimising for a particular thing. Very few people are optimising for "make the most money, at the expense of all else". Show me anyone (even a billionaire), and I'll show you somebody who values other things higher than the accumulation of money. And plenty of things don't go through "the system of capitalism": we have commons, and volunteers, and favours, and coerced unpaid labour / wage theft.

"The forces of capitalism" might be a good shorthand for the reasons behind this problem, but it's not strictly an accurate one: these issues aren't inherent to capitalism. They're not problems with capitalism, but problems with this system. (Capitalism does have other, different problems that are pretty baked in, like how capital is power and power lets you accrue capital, but I don't see how that relates to this issue.)

This feels like a win for capitalism to me. The actually innovative Docker did is open source, and replacements already exist for DockerHub. So, we get the good tech they created, and the company with the user-hostile choices dies, or becomes irrelevant.

We're sorry there was a backlash.

Needs South Park gifs.

They say that their separate "open source program" (DSOS) is completely better than Free Teams. Why didn't they just migrate everyone on Free Teams to DSOS and then worry about the qualifications for those migrated afterwards (and less stringently)?

And why don't they answer for nearly a year after submitting a request, only to THEN ask to resubmit the request with an improved form or something. After which everything goes back to silence?

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact