Docker Hub rag pull
written by woju on 16.03.2023 16:40 CETSo you've probably heard now that Docker Inc. is pulling the DockerHub from under the FOSS community.
(Disclosure: our project, Gramine, is also affected; we'll probably be moving somewhere else).
I must admit: I don't know what to think about it. There are certainly lots of people who appear to do know what to think, and are mostly annoyed, because it affects their day-to-day operations. Quite an amount of those people took it to Hacker News to vent themselves, which is certainly understandable, because it's, well, annoying to get 30 days to redo your pipelines.
It's also understandable that Docker Inc. may have got annoyed of paying for storage and transfer for what they see as little to no return. At least monetary return (the amount is said to be 300-420 US$ per project per year, if the project doesn't qualify for some exceptions), which might have got more important to them than the simple fact they also depend on other FOSS projects.
But there's that one guy, Daniel Stenberg aka bagder, who is noticeably not annoyed. For those of you who don't know: Daniel is the founder and maintainer of curl project, a tool and library for doing HTTP (and other) requests over the network. He continually improves it, having been doing that for the last 25 years (curl is celebrating 25th anniversary on 20-March 2023, in 4 days), and the results are spectacular: curl is very widely used, both because it's the best tool in its class, and because it's available at no cost. Your computer runs it, your phone runs it, and possibly even your car runs on both petrol and curl.
So Daniel announced on fediverse that in principle he and his project don't care 1 bit for Docker:
I argue we (#curl) should NOT pay docker. Not give in to extortion. This might mean that someone else soon suddenly will register our name and can serve whatever image they want there. 5 *billion* pulls indicate there's a user or two that might fall victim for this.
That's on docker, not us.
The last sentence is important. He further elaborated this point on GitHub:
Removing curl as a team does not really hurt the curl project. It hurts users in the docker ecosystem [...]
— https://github.com/docker/hub-feedback/issues/2314#issuecomment-1471905927
I find this interesting for several reasons.
First, there are FOSS projects and FOSS projects. FOSS projects are equal, but there are those other FOSS projects that are more equal. FOSS movement is in principle egalitarian (everyone has right to code, c.f. 4 freedoms), but there's an inflection point after which not every project can say that “[i]t hurts users in [other] ecosystem” (more). Is this just? Yes and no: it would be injust to equal Daniel's 25 years of unabated dedication to FOSS against many come-and-go opportunistic FOSS “maintainers” (in quotes, because many people, myself included, are guilty of not “maintaining” in the proper sense at least some of their code they dumped in public). At the same time it's injust to many other projects' dedicated maintainers, whose only problem is that their projects were not as widely adopted.
Is this meritocratic? Yes and no: again, curl is a fundamental piece of software for many ecosystems (not only for C, its namesake) and there's certain weight attached to what bagder is saying about his and other projects, esp. if his software is used by them. Can we demand that Daniel stands for all other project just because those other projects have similar licence? Absolutely not, because Open Source is not about you and maintainers' entitlements are limited by the scope of their projects.
What will his stance effect and what will be the effects for other projects? We don't know, until it happens. It might very well be that a solution will be found which will be good not only for curl, but also for other projects. (Docker has an exception mechanism for other projects where the maintainers need to apply and they'll consider, but that's not a scalable solution, and certainly neither transparent nor egalitarian).
There are other high-profile FOSS maintainers like Drew DeVault, who lately stood up to even bigger corp, because he got annoyed by laziness of corpodevelopers who didn't care about other people's computers, because it didn't affect them. He explicitly rejected an exception mechanism for the good of the wider community, realising that many other maintainers cannot stand up for themselves based on their own merit and their projects accomplishments (like recognition and adoption — those are largely outside of technical maintainer's control).
Linux (the kernel) has a mix of policies. They mostly don't care about other projects (apart from usually not breaking them), but they have interesing policy in the graphics area that there needs to exist a FOSS project for the purpose of validation of the interfaces.
Daniel Stenberg chose not to mention other projects, but it doesn't mean that
other projects will be missed: it might be sufficient that he'll show an
example, other projects will follow, even by just switching the registry, but
maybe also sed'ing their projects' docs for s/docker/podman/g and Docker will
find a solution for fear of sliding into irrelevance. I don't think
this will happen, but it's a possibility.
Speaking of projects, Docker has a list of so-called official
images, which get special treatment. This is another point for
the POV that projects are not really egalitarian; I don't know the
criteria how projects are enlisted to say if they're included based on merit).
It's also notable that podman has it's own similar list, which was already
pitched to Daniel. (podman is a replacement for docker
CLI tool of Red Hat pedigree; docker the CLI tool is not to be confused with
Docker Hub, for which RH also has replacement called quay.io, mentioned
in the pitch).
I'll end this post by saying that I'm curious to see what will happen next. Not about Docker (they might as well fail tomorrow), I'm more curious what will happen in broadly defined FOSS community. This event by itself, while annoying, is not that important by itself (it mostly affects “deployments”, of the full apps, not individual projects contained therein). But there are other develompents like Cyber Resilience Act, Product Liability Directive and other under umbrella of “supply chain” security and SBOMs, which have potential to drive considerable wedges between projects and into the FOSS community.
I don't have any prediction. I'll just note that when rag pull happens, things resting on the rag tumble. It remains to be seen, in what shape they'll come to rest. Our own project also got a pitch for an alternative registry, which says to me that enterpising people are feeling the opportunity to fill some void. I hope it's not a void between FOSS projects. Gramine is fortunate to have quite solid backing of mutliple organisations, but not every project has this comfort, and it would be a shame to loose those other projects and/or get loose the connections between projects.
(Discussion in fediverse: https://social.hackerspace.pl/@woju/110033775682320376)