I don't want to discount the work they are doing, and that it has no value, but a little bit shocking that they expect to go all commercial with this, in the Oracle way, while just "packaging" and so relying on open source software that they will not contribute to.
Also, I'm a little bit wondering at how much all of this is really copyrightable in the end.
Because if you keep it private I understand, but here it is basically for each package just a few lines, recipes to build the components that they don't own. Like trying to copyright the line "make build".
And it might be each the single and obvious way to package the thing anyway.
And speaking at the built artefacts, usually a binary distribution of third party open source software with common license should preserve the same rights to the user to access the source code, the instructions to build, and the right to redistribute...
"Makefile" they have written and copyrighting is very non trivial and there are many man-months of effort. Configuring all sorts of software just with env vars and make it usable is not an easy feat.
Not everything that's authored and published is eligible for copyright. Copyright applies to only the creative elements of a work that are unique. Things that are facts, or are necessary for function are not copyrightable.
They likely hold a copyright on the exact expression of their documentation, but the facts and information in that documentation, and necessary configuration such as port numbers, and dependency selection are not subject to copyright.
What probably carries more value is the helm charts that they provide which are also on their way out.
The images themselves have official replacements (for example, looking at https://hub.docker.com/u/bitnami why wouldn’t I use Node or Postgres images from the official sources instead).
I have no idea how many people actually used their helm charts though.
They do keep some of them more up to date, for example the bitnami python image had system packages patched faster than the official one. But if you are willing to pay then chainguard is a better solution.
Some other open source projects have also shipped Bitnami software in their own helm charts, i.e. APISIX's etcd instance is the Bitnami chart pulled in as a dependency.
Not that it ever worked well, we had to scale it to 1 because the quorum would constantly break into unrecoverable states.
> However, in order to sustain and support the dedicated team of engineers who maintain and build new charts and images, a subscription will be required if an organization needs the images and charts built and hosted in an OCI registry for them.
This is such a naive take. Bitnami images were a sign of goodwill, a foot in the door at places were the hardened images were actually needed. They just couldn't compete with the better options on the market. This isn't a way to fix it, it's extortion. This is the same thing Terraform Cloud did, and I don't think that product is doing so hot.
> Essentially, Bitnami has been the Jenkins of the internet for many years, but this has become unsustainable.
It's other people's software, so it's very rich of Bitnami to accuse anyone of freeloading when their only contribution is adding config options to software that maybe corresponds to a level 2 on the OperatorFramework capability scale[1] - usually more of a 1.
> It's other people's software, so it's very rich of Bitnami to accuse anyone of freeloading when their only contribution is adding config options to software
I'm not going to defend a corporation but this sentence feels very entitled. They were providing it for free, you could use it. They are not going to provide it for free anymore, you migrate to something else or self-maintain it and say "thank you for the base work you did I can use now"
Aye, It's a bit like saying you can't sell your code, because you wrote it in someone elses software.
Writing a decent Dockerfile isn't hard, and keeping it maintained and working with new versions is still work and it's past the wheelhouse of very many people. It's entirely reasonable to want paid for that effort.
That said, it's not work I personally value enough to put my hand in my pocket, and that's a fair take too.
I think it's perfectly fair for them to say "we're not doing this any more". The sketchy part is deleting the public registry at docker.io/bitnami rather than just no longer updating it. Why can't docker.io/bitnami become the 'legacy' registry, receive no future updates, so at least folks who don't hear this news won't have pulls suddenly fail?
edit: like if I have a package on NPM and I want to stop offering it, I think it's shitty to just delete it. That breaks builds.
When a project is abandoned, when updates are slow, when features people want are not being released, when tracking upstream dependency updates are delayed, sure, you are not entitled to anything and I’ll be the first one to say get off your butt and contribute. In the other hand when you engage with the community for years under an OSS/free context then once the community has invested in your project, learning it, creating learning resources for it, integrating it into their own projects, and you never communicated your intention to “wait until it gets big then then pull the rug” it feels like a disingenuous bait and switch. The reason it feels that way is because it is a disingenuous bait and switch. This is even more so the case when you built your project on top of other projects.
I have no problem using a paid product or service or paying for support on a OSS product, but will never pay one of these bait and switch scams a dime, no matter how much engineering effort it takes.
Vendor lock-in is a thing. Switching costs are a thing. They know this. That's the whole business model. They're expecting that the cost of switching to outweigh the cost of the subscription.
I get that this business model is fashionable amongst wannabe rent-seekers, but it's still antisocial and should be shunned.
Reminds me of a joke, where there was a beggar sitting on a street next to a certain office, and one man has been giving him a coin every time he went to work or was going home. That continued for a while, until one day the man says to the beggar - "you know, I've been giving you a coin twice a day for a while now, but now I am getting married, it's an expensive thing so I can't give as much anymore, I only will be giving you a coin once a day from now on". And the beggar cries out: "Look at this putz, he's getting married and now I have to feed his whole family!"
What do you mean, that's the business model more than half the VC-funded startups now. Provide something for free or near free, wait until your customer is dependent on you and/or consolidate into at least an oligopoly and then put the thumbscrews on.
I find that to be a pretty dishonest business model. I don't have any Bitnami images to replace, but I know a lot of people who do without ever having made that choice - and their bosses aren't going to pay Broadcom for the most part either. So you end up with overworked developers that now hate Broadcom and/or a whole lot of deployments that just break or never get updated. The number of people going "I can just switch over to the archive image, whatever" on the K8s subreddit alone is concerning.
>This is such a naive take. Bitnami images were a sign of goodwill, a foot in the door at places were the hardened images were actually needed. They just couldn't compete with the better options on the market. This isn't a way to fix it, it's extortion. This is the same thing Terraform Cloud did, and I don't think that product is doing so hot.
You seem to be confused about who Broadcom is and how they operate. "Long term health" isn't a thing for them. They buy products that are embedded deeply in the fortune 500, cut 90% of the staff, and increase licensing and support 2-100x. They do not care if you are upset. They do not care if you're going to "find something else". They don't care if you build an entire campaign to decry what they're doing.
They know the F500 cannot easily remove them, and that they will have at minimum 5 years to print cash on their service contracts. Sure, some of those F500s will sue them and try to stop the extortion via legal means, but they know that they'll either win, or at worst still be allowed to jack up prices even if a court rules it's not their original egregious asking price.
Building Infrastructure company is challenging in 2025. Previously, you would prioritize traction among developers over focusing on revenue.
But that does not work in 2025. You are expected to make money from the get-go and are left with only enterprise customers and boy, that category is hard, as everyone is competing for that slice.
The problem I think is that all the easy infrastructure problems have been solved and the market is crowded with those solutions. Solving the hard problems is probably where you could have a viable business but I don't really see that many companies trying to solve those:
* Making mono-repos work for large companies.
* Mixed language builds are still a ci/cd unsolved problems for most companies.
So, you're saying in 2025 businesses are expected to actually make money? What a novel concept. Will the wonders ever cease? I mean, you could expect that thing where you borrow incessantly to "gain traction" and "produce growth" but never produce any returns on it to run for a bit, especially in a new field where becoming #1 is at premium. But it has to stop somewhere. So it looks like somewhere is here.
> Previously, you would prioritize traction among developers over focusing on revenue.
A.k.a. using open source as a marketing tactic to lure in customers, only to do a rug pull once the business gains enough momentum.
> But that does not work in 2025.
Good. It is an insidious practice. There are very few projects that actually do this properly without turning their backs on the users who made their products popular in the first place.
> You are expected to make money from the get-go and are left with only enterprise customers and boy, that category is hard, as everyone is competing for that slice.
The strategy of delivering valuable products that benefit users without exploiting them has always existed. The thing is that many companies choose the greedy and user hostile path, instead of running a sustainable business that delivers value to humanity and not just to shareholders, which is much more difficult. So I have no sympathy towards these companies.
If their contribution is minimal then the impact of this change should also be? But it appears it disruptive so they have been showing up for a long time and that’s one of the most difficult things.
That's like saying, "Honda isn't a car company, they're an assembly company because they don't mine the minerals to make the parts and rely instead on supply chains"
In the end, they have to do it because of the CSR, and they can do it because of the CSR.
The European Union Cyber Residence Act has the potential to drastically change the open source ecosystem.
The new regulation pushes the due diligence for security according to the Act towards any entity making a commercial offer based on open source software.
Caveat emptor!
For any enterprise, that means that they either do extensive documentation and security on open source components they use or they use foundation or enterprise-backed products.
Note that pure uncommercial open source projects are exempt from the Act.
I see this as a chance; we can still create open and free software, and those of us who desire financial compensation from those who make money with their work can offer as a necessary compliance framework as a service via a different entity.
I don't agree, they have to do all the CSR due diligence for the commercial offerings based on those open source projects, so there is no difference. The effort has to be done regardless if there's part of it that is open source and free, or not.
They don't have to. They can do the paid secure images for the commercial offerings and keep the other ones free. Or they could free the secure images for everyone if they feel like that.
Hmmmm, I'm not sure that's how it would be read. If there's any 'associated commercial activity', it falls under the CSR, even if the images themselves are free and open source.
(That said, the overhead of the CSR is really not much, from what I can tell. It's pretty lightweight as EU standards go)
If you’re looking for an alternative here, we (the team that built Twistlock) launched Minimus a few months ago to provide near zero CVE images built continuously from source. We have long experience in this space (we even wrote NIST SP 800-190) and I’d love to talk if we could help anyone. We also have drop in replacement images and charts for Bitnami, as we describe here: https://www.minimus.io/post/the-bitnami-pricing-changes-what...
If anyone has tech questions about how it all works, tools we use, customer scenarios, etc I’d be happy to discuss.
Also, this form is nonsensical https://www.minimus.io/get-started#signup-form because it distinguishes between "Individual" and "Organization" but then Company is a mandatory field. Maybe just go ahead and label it "Lead Gen / Ask For A Demo"
Let me rewrite the comparison used in the "Example: Using Bitnami vs. Minimus" section of the blog post:
Using Bitnami Secure Images:
You pull a versioned PostgreSQL image built on a minimal-attack-surface OS (Photon). When a CVE is disclosed or a new upstream version is released, Bitnami’s automation takes care of everything: a new container image (and Helm chart, if applicable) is built, tested, and published to your registry within hours.
All you need to do is update to the latest version; no manual CVE monitoring, triage, or patching required.
The main question as always is price. I was also interested in things like Chainguard and Docker secure images until I had a sales call with them and found out the price.
I can’t seem to find the price anywhere on your site… I assume the reason for that is that it’s also nearly impossible for a non-fortune 500 to afford?
Nope - we're early stage so we're really flexible not just on pricing but licensing terms too. We have many customers that are smaller startups, not just typical F500 types.
Please offer an implementation of the docker-credential helper, just like chainguard does with docker-credential-cgr[1], and don't put throwaway text that says "docker supports credential stores, so good luck to you" on your website https://docs.minimus.io/foundations/authentication#using-a-c...
> BSI is effectively democratizing security and compliance for open source so that it doesn’t require million-dollar contracts from vendors with sky-high valuations.
I suppose 50k isn't a million dollar contract, but it's certainly also not "democratizing" anything
Depending on your needs, this could be a bargain as advertised. It's only expensive relative to what you can build on your own, or what competitors offer.
It's a bit tricky to work through all the jargon, but it's my understanding that they are simply pulling the mass of things that they provide for free. You can still get the Docker files for their offerings (not sure they offer all tags though?") and you can even use the images from Docker Hub.
But. What they are offering is considered "development" regardless of what you are using it for? In other words, NOT a production environment, because they aren't giving you a production environment (or at least what they define as a production environment.) What they give you for free is the "latest" and on a Debian system.
What they offer as "secure" is running on Photon OS and goes through a security pipeline, etc. They aren't holding anything back aside from the services they provide.
I advocated an enterprise to migrate away almost two years ago now. In enterprise time that means the project to do so is just about complete, so I am feeling pretty vindicated just now.
My team is worried about that too. We've been a java and spring shop for years. We're looking at micronaut, it's similar enough.
When I had someone from another team take a look at broadcom and what they could do to spring, they said the licenses are permissive, it will be fine. Likely not that simple.
They're still technically Avago Technologies, just wearing the name of Broadcom after the acquisition in 2015-2016. Not sure if there's much of Broadcom left, beyond the name and what IP they had at the time which was not sold off, like they did with the IoT related IPs.
Taking a bunch of projects and making containers and flexible helm charts for them is kind of an interesting model. It’s what Redhat and Canonical do with raw Linux packages; they charge for premium support and even patches or extended support.
I was going through one of my clusters, I have two bitnami uses and they are both ‘building blocks’ I use Trino, which uses a metastore which uses postgresql and then some other package uses redis. It seems like both postgresql and redis could/would have containers and charts to install their stuff, where it breaks is the postgresql guys probably want to support “current” and not 4 major releases back, which is kind of normal to see in the wild.
It is kind of an interesting model, I’d love it if rancher or openshift or someone started to seriously compete. Shipping a Kubernetes in a box is nice but if they started packaging up the building blocks, that’s huge too.
Broadcom has always been about pure evil (cough capitalism cough), you just haven't been affected by it before. Ask anyone who's worked with their hardware...
So
Others have already provided good answers. I wouldn't classify it as evil if all they did was to stop maintaining the images & charts, I recognise how much time, effort and money that takes. Companies and open source developers alike are free to say "We can no longer work on this".
The evil part is in outright breaking people's systems, in violation of the implicit agreement established by having something be public in the first place.
I know Broadcom inherited Bitnami as part of an acquisition and legally have no obligation to do anything, but ethically (which is why they are evil, not necessarily criminal) they absolutely have a duty to minimise the damage, which is 100% within their power & budget as others have pointed out.
And this is before you even consider all the work unpaid contributors have put into Bitnami over the years (myself included).
The images are currently in Docker Hub. If $9/month (or $15, not 100% sure if $9 includes organizations) to keep those images available is too much for Bitnami I'm sure there are many organizations who wouldn't mind paying that bill for them (possibly even Docker Hub itself).
Broadcom is deciding to host it on their own registry and bear the associated cost of doing so. Not sure what this has to do with sponsoring network egress
I was never a fan of images from Bitnami. They always used complicated entrypoint and setup scripts, and introduced weird quirks to the software. More than once have I experienced issues or ran into configuration limitations with Bitnami images that didn't exist in official ones.
So good riddance, as far as I'm concerned. I recommend anyone to avoid using them, and switch to official images or to build them yourself if they're not provided. That's the more secure approach, anyway.
I concur. There was supposedly a migration path from their postgresql image & chart to the postgresql-ha image & chart.
Aside of having to re-mount the data disk and move things around manually; the -ha chart has numerous other issues where it always requires the master to be node-0. And with pods being rescheduled within a statefulset, good look having the master be on node-0. If there was an outage and the master is anywhere else, node-0 will just 'wait' for a master to come online, time out and shoot itself in the head thinking it is in a network partition and that retrying may help.
The algorithm implemented by postgresql-ha turned out to be plain broken. Only able to survive pods neatly shutting down.
Sometimes, over engineered approaches are necessary to make older software work with environment variables and configmaps, because said software is still designed for traditional VM deployments.
Readit News
Also, I'm a little bit wondering at how much all of this is really copyrightable in the end. Because if you keep it private I understand, but here it is basically for each package just a few lines, recipes to build the components that they don't own. Like trying to copyright the line "make build".
And it might be each the single and obvious way to package the thing anyway.
And speaking at the built artefacts, usually a binary distribution of third party open source software with common license should preserve the same rights to the user to access the source code, the instructions to build, and the right to redistribute...
Have a look at https://github.com/bitnami/containers/tree/main/bitnami/post... as example.
It might be worth a commercial license for some of their current user-base, no doubt.
They likely hold a copyright on the exact expression of their documentation, but the facts and information in that documentation, and necessary configuration such as port numbers, and dependency selection are not subject to copyright.
The images themselves have official replacements (for example, looking at https://hub.docker.com/u/bitnami why wouldn’t I use Node or Postgres images from the official sources instead).
I have no idea how many people actually used their helm charts though.
Not that it ever worked well, we had to scale it to 1 because the quorum would constantly break into unrecoverable states.
This is such a naive take. Bitnami images were a sign of goodwill, a foot in the door at places were the hardened images were actually needed. They just couldn't compete with the better options on the market. This isn't a way to fix it, it's extortion. This is the same thing Terraform Cloud did, and I don't think that product is doing so hot.
> Essentially, Bitnami has been the Jenkins of the internet for many years, but this has become unsustainable.
It's other people's software, so it's very rich of Bitnami to accuse anyone of freeloading when their only contribution is adding config options to software that maybe corresponds to a level 2 on the OperatorFramework capability scale[1] - usually more of a 1.
[1]: https://operatorframework.io/operator-capabilities/
I'm not going to defend a corporation but this sentence feels very entitled. They were providing it for free, you could use it. They are not going to provide it for free anymore, you migrate to something else or self-maintain it and say "thank you for the base work you did I can use now"
Writing a decent Dockerfile isn't hard, and keeping it maintained and working with new versions is still work and it's past the wheelhouse of very many people. It's entirely reasonable to want paid for that effort.
That said, it's not work I personally value enough to put my hand in my pocket, and that's a fair take too.
edit: like if I have a package on NPM and I want to stop offering it, I think it's shitty to just delete it. That breaks builds.
I have no problem using a paid product or service or paying for support on a OSS product, but will never pay one of these bait and switch scams a dime, no matter how much engineering effort it takes.
I get that this business model is fashionable amongst wannabe rent-seekers, but it's still antisocial and should be shunned.
That's a wild take for "somebody provided something for free but decided they don't want to anymore".
Sucks for you, looks like you have to do your job yourself now.
I find that to be a pretty dishonest business model. I don't have any Bitnami images to replace, but I know a lot of people who do without ever having made that choice - and their bosses aren't going to pay Broadcom for the most part either. So you end up with overworked developers that now hate Broadcom and/or a whole lot of deployments that just break or never get updated. The number of people going "I can just switch over to the archive image, whatever" on the K8s subreddit alone is concerning.
You seem to be confused about who Broadcom is and how they operate. "Long term health" isn't a thing for them. They buy products that are embedded deeply in the fortune 500, cut 90% of the staff, and increase licensing and support 2-100x. They do not care if you are upset. They do not care if you're going to "find something else". They don't care if you build an entire campaign to decry what they're doing.
They know the F500 cannot easily remove them, and that they will have at minimum 5 years to print cash on their service contracts. Sure, some of those F500s will sue them and try to stop the extortion via legal means, but they know that they'll either win, or at worst still be allowed to jack up prices even if a court rules it's not their original egregious asking price.
But that does not work in 2025. You are expected to make money from the get-go and are left with only enterprise customers and boy, that category is hard, as everyone is competing for that slice.
* Making mono-repos work for large companies.
* Mixed language builds are still a ci/cd unsolved problems for most companies.
* Testing strategies for Iac deployments.
And more that I won't bother to list here.
A.k.a. using open source as a marketing tactic to lure in customers, only to do a rug pull once the business gains enough momentum.
> But that does not work in 2025.
Good. It is an insidious practice. There are very few projects that actually do this properly without turning their backs on the users who made their products popular in the first place.
> You are expected to make money from the get-go and are left with only enterprise customers and boy, that category is hard, as everyone is competing for that slice.
The strategy of delivering valuable products that benefit users without exploiting them has always existed. The thing is that many companies choose the greedy and user hostile path, instead of running a sustainable business that delivers value to humanity and not just to shareholders, which is much more difficult. So I have no sympathy towards these companies.
If their value-add was miniscule then they should be trivial to replace.
If it's a struggle to replace them then that's the value they were adding.
Deleted Comment
That's like saying, "Honda isn't a car company, they're an assembly company because they don't mine the minerals to make the parts and rely instead on supply chains"
Deleted Comment
Deleted Comment
The European Union Cyber Residence Act has the potential to drastically change the open source ecosystem.
The new regulation pushes the due diligence for security according to the Act towards any entity making a commercial offer based on open source software.
Caveat emptor!
For any enterprise, that means that they either do extensive documentation and security on open source components they use or they use foundation or enterprise-backed products.
Note that pure uncommercial open source projects are exempt from the Act.
I see this as a chance; we can still create open and free software, and those of us who desire financial compensation from those who make money with their work can offer as a necessary compliance framework as a service via a different entity.
(That said, the overhead of the CSR is really not much, from what I can tell. It's pretty lightweight as EU standards go)
If anyone has tech questions about how it all works, tools we use, customer scenarios, etc I’d be happy to discuss.
Using Bitnami Secure Images: You pull a versioned PostgreSQL image built on a minimal-attack-surface OS (Photon). When a CVE is disclosed or a new upstream version is released, Bitnami’s automation takes care of everything: a new container image (and Helm chart, if applicable) is built, tested, and published to your registry within hours. All you need to do is update to the latest version; no manual CVE monitoring, triage, or patching required.
I can’t seem to find the price anywhere on your site… I assume the reason for that is that it’s also nearly impossible for a non-fortune 500 to afford?
1: https://edu.chainguard.dev/chainguard/chainguard-images/chai...
It's a good feature, just hasn't been prioritized so far because customers haven't really had trouble with the current basic approach.
> BSI is effectively democratizing security and compliance for open source so that it doesn’t require million-dollar contracts from vendors with sky-high valuations.
I suppose 50k isn't a million dollar contract, but it's certainly also not "democratizing" anything
But. What they are offering is considered "development" regardless of what you are using it for? In other words, NOT a production environment, because they aren't giving you a production environment (or at least what they define as a production environment.) What they give you for free is the "latest" and on a Debian system.
What they offer as "secure" is running on Photon OS and goes through a security pipeline, etc. They aren't holding anything back aside from the services they provide.
Deleted Comment
Deleted Comment
It's a shame that competition for this position has been ramping up lately.
Sadly, it feels like an inevitability at this point.
When I had someone from another team take a look at broadcom and what they could do to spring, they said the licenses are permissive, it will be fine. Likely not that simple.
I was going through one of my clusters, I have two bitnami uses and they are both ‘building blocks’ I use Trino, which uses a metastore which uses postgresql and then some other package uses redis. It seems like both postgresql and redis could/would have containers and charts to install their stuff, where it breaks is the postgresql guys probably want to support “current” and not 4 major releases back, which is kind of normal to see in the wild.
It is kind of an interesting model, I’d love it if rancher or openshift or someone started to seriously compete. Shipping a Kubernetes in a box is nice but if they started packaging up the building blocks, that’s huge too.
The evil part is in outright breaking people's systems, in violation of the implicit agreement established by having something be public in the first place.
I know Broadcom inherited Bitnami as part of an acquisition and legally have no obligation to do anything, but ethically (which is why they are evil, not necessarily criminal) they absolutely have a duty to minimise the damage, which is 100% within their power & budget as others have pointed out.
And this is before you even consider all the work unpaid contributors have put into Bitnami over the years (myself included).
So good riddance, as far as I'm concerned. I recommend anyone to avoid using them, and switch to official images or to build them yourself if they're not provided. That's the more secure approach, anyway.
Aside of having to re-mount the data disk and move things around manually; the -ha chart has numerous other issues where it always requires the master to be node-0. And with pods being rescheduled within a statefulset, good look having the master be on node-0. If there was an outage and the master is anywhere else, node-0 will just 'wait' for a master to come online, time out and shoot itself in the head thinking it is in a network partition and that retrying may help.
The algorithm implemented by postgresql-ha turned out to be plain broken. Only able to survive pods neatly shutting down.