I don't want to discount the work they are doing, and that it has no value, but a little bit shocking that they expect to go all commercial with this, in the Oracle way, while just "packaging" and so relying on open source software that they will not contribute to.
Also, I'm a little bit wondering at how much all of this is really copyrightable in the end.
Because if you keep it private I understand, but here it is basically for each package just a few lines, recipes to build the components that they don't own. Like trying to copyright the line "make build".
And it might be each the single and obvious way to package the thing anyway.
And speaking at the built artefacts, usually a binary distribution of third party open source software with common license should preserve the same rights to the user to access the source code, the instructions to build, and the right to redistribute...
MathiasPius · 1h ago
Between the VMware licensing changes and this, it looks like Broadcom is making a serious play at dethroning Oracle as the most evil software vendor.
It's a shame that competition for this position has been ramping up lately.
MangoToupe · 49m ago
This is much less exciting once you realize how evil broadcom is. Still, I suppose we all win in the short term.
elephantum · 1h ago
So, are they evil because they decided to stop sponsoring free network egress?
MathiasPius · 31m ago
Others have already provided good answers. I wouldn't classify it as evil if all they did was to stop maintaining the images & charts, I recognise how much time, effort and money that takes. Companies and open source developers alike are free to say "We can no longer work on this".
The evil part is in outright breaking people's systems, in violation of the implicit agreement established by having something be public in the first place.
I know Broadcom inherited Bitnami as part of an acquisition and legally have no obligation to do anything, but ethically (which is why they are evil, not necessarily criminal) they absolutely have a duty to minimise the damage, which is 100% within their power & budget as others have pointed out.
And this is before you even consider all the work unpaid contributors have put into Bitnami over the years (myself included).
7bit · 11m ago
that's an assumption, but Broadcom is most likely using open source software in all of their apps. So they do have a moral to also give something back. So just saying it's fair that they don't want to provide something for free anymore isn't really all that fair.
systemswizard · 1h ago
Broadcom is deciding to host it on their own registry and bear the associated cost of doing so. Not sure what this has to do with sponsoring network egress
buzer · 1h ago
The images are currently in Docker Hub. If $9/month (or $15, not 100% sure if $9 includes organizations) to keep those images available is too much for Bitnami I'm sure there are many organizations who wouldn't mind paying that bill for them (possibly even Docker Hub itself).
runamok · 1h ago
Does said network egress cost $50k per user?
rahkiin · 38m ago
It is sad to see how Broadcom cannot do padding right for mobile…
But on topic: why not create docker.io/bsi and let /bitnami as is without new updates? Then nothing breaks; it just won’t be possible to do upgrades. You’ll then figure out why and possibly seamlessly switch to your own build or BSI.
orthoxerox · 4m ago
Because "bitnami" has brand value. It makes business sense to reuse the name for the new service you are trying to sell.
gexla · 1h ago
Snooping around, it seems the license costs $50K+ annually. I'm not their target market. ;)
Valodim · 1h ago
From TFA
> BSI is effectively democratizing security and compliance for open source so that it doesn’t require million-dollar contracts from vendors with sky-high valuations.
I suppose 50k isn't a million dollar contract, but it's certainly also not "democratizing" anything
quectophoton · 1h ago
Understandable.
The way I see it, a software project has only (1) code you maintain or pay someone to maintain for you, and/or (2) throwaway code that you will eventually need to replace with an incompatible version.
Nothing wrong with a project that is just gluing throwaway code because it's a gamble that usually pays off. But if that code is from third-party dependencies, just don't believe for a second that those dependencies (or any compatible forks) will outlive your project, or that their developers have any incentive at all to help you maintain your project alive.
prmoustache · 41m ago
Is "brownout" a common or standard term in the industry? First time I see it.
aabhay · 38m ago
First heard about this when docker started rate limiting
miki123211 · 14m ago
Yes.
It refers to a situation where a system is deliberately designed to fail (usually for short periods of time), to still provide some level of service while alerting others that the system is soon to be turned off.
01HNNWZ0MV43FF · 29m ago
Yes I heard of GitHub doing it I think
You intentionally break something just a little to force dependents to notice, before turning it off completely
znpy · 28m ago
Yes. Going from green to red is called “browning out”.
jacquesm · 14m ago
That is not where the term comes from. Lights out -> Blackout (WWII, to stop overflying aircraft from having easy targets and to disrupt navigation). Reduced voltage on the grid -> lights go from white to orange and eventually to brown, not quite a blackout -> brown out.
mattkrause · 19m ago
Is that the origin?
I thought it was an analogy to the electrical problem: flickering lights due to high demand.
raesene9 · 1h ago
Good to see they decided to delay a bit and do some brownouts first. I took a quick look at the Docker hub stats (https://raesene.github.io/blog/2025/08/21/bitnami-deprecatio...) and it looks like some of those images are still getting hundreds of thousands or even millions of pulls a week.
bjornsing · 48m ago
24 hours? Wouldn’t it be better to do shorter bouts of scheduled unavailability so unknowing people’s systems will boot up without manual intervention, but still generate lots of nasty logs / alerts?
rollulus · 1m ago
I thought the opposite: 24h seems too brief to me, since many of their images are typically for long running servers, some people will receive a painful heads up only next year or later when their K8s pod gets scheduled to a new machine, requiring a (failing) pull.
asimovDev · 1h ago
Anyone using their PHP images? Have you switched to FPM or started to build the bitnami images from source?
repox · 58m ago
> Anyone using their PHP images?
With FrankenPHP, I can't imagine why I'd choose Bitnami anymore.
pveierland · 1h ago
Will any source to build new images remain available without subscription?
elephantum · 1h ago
They write in the press release, that the sources remain under Apache 2 license, they just stop distributing prebuilt images for free.
It looks like setting up a mirror and CI/CD on top of Github might work for some time. ghcr is free for public images
raffraffraff · 37m ago
Or if you have a decent sized deployment in one of the clouds, it's extremely likely you'll already use their internal registry (eg AWS ECR). I know that we do. So it's just a case of setting up a few docker build projects in git that push to your own internal registry.
aeijdenberg · 1h ago
I've been thinking a lot about this kind of thing recently - and put a prototype up of htvend [1] that allows you to archive out dependencies during an image build. The idea being that if you have a mix of private/public dependencies that the upstream dependencies can be saved off locally as blobs allowing your build process to be able to be re-run in the future, even if the upstream assets become unavailable (as appears to be the case here).
Is it clear whether the Debian image sources will continue to be maintained?
elephantum · 1h ago
I do not see direct statements that they will stop maintaining sources in open source.
We'll see :)
notimetorelax · 2h ago
Is anyone working on mirroring the images and keeping them updated?
mrweasel · 45m ago
Updating the Bitnami images is probably a bit of a challenge. From looking at them last year, I believe that they are build around a Bitnami style/framework. They are confusing at best.
If you're Bitnami it probably made sense to do it the image the way they did, but for everyone else, it's just a massive complication.
Personally I don't understand why anyone would have opted to use the Bitnami images for most things. They are really large and complex images and in most cases you'd probably be better of building your own images instead.
My guess is that there's a very small overlap between people who want to maintain Docker images, and the people who chose to run Bitnamis images.
miyuru · 5m ago
> Personally I don't understand why anyone would have opted to use the Bitnami images for most things.
At my previous company, we used it because of the low CVE counts. We needed to report the CVE count for every Docker image we used every month, so most of the images were from Bitnami.
There are many enterprise companies freeloading on Bitnami images, and I’m surprised it took Broadcom this long to make this change.
tux3 · 14m ago
The Docker images are complex for the sake of the Helm charts, which sometimes need to pass down tons of parameters
These aren't just for your laptop, they're supposed to be able to run in prod
I'm still stuck with 3 bitnami charts that I keep updated by building from source, which includes also building the images, all on our private registry.
runamok · 1h ago
In brief you need to switch the registry from (iirc) docker.io/bitnami to docker.io/bitnamilegacy. Note that as of iirc tomorrow those images will no longer be updated. So the moment there is a high or critical cve you better have a plan to use a new image and likely helm chart or send broadcom cash. The old registry will continue to have a "latest" tag but this should not be used for production.
finaard · 57m ago
According to the article the current situation already is a bit of a clusterfuck:
The Photon images provide many other benefits not previously available to users of Debian images, including:
- Drastically reduced CVE count (e.g., 100+ CVEs to in some cases 0)
kappuchino · 1h ago
That only works for weeks or so, since they won't be updated, according to the PR.
It's time to build your own from core / foundational images - something I recently learned and now seek to master.
shellwizard · 1h ago
Would you kindly share how to do it?
KronisLV · 13m ago
Not OP, but in general the process goes like this:
- you pick a base image you want to use, like Alpine (small size, good security, sometimes compatibility issues) or Debian or Ubuntu LTS (medium size, okay security, good compatibility) or whatever you please
- if you want a common base image for whatever you're building, you can add some tools on top of it, configuration, CAs or maybe use a specific shell; not a must but can be nice to have and leads to layer reuse
- you build the image like you would any other, upload it wherever you please (be it Docker Hub, another registry, possibly something self-hosted like Sonatype Nexus): docker build -t "my-registry.com/base/ubuntu" -f "ubuntu.Dockerfile" . && docker push "my-registry.com/base/ubuntu"
- then, when you're building something more specific, like a Python or JDK image or whatever, you base it on the common image, like: FROM my-registry.com/base/ubuntu
- the same applies not just for language tooling and runtimes, but also for software like databases and key value stores and so on, albeit you'll need to figure out how to configure them better
- as for any software you want to build, you also base it on your common images then
Example of cleanly installing some packages on Ubuntu LTS (in this case, also doing package upgrades in the base image) when building the base image, without the package caches left over:
In general, you'll want any common base images to be as slim as possible, but on the other hand unless you're a bank having some tools for debugging are nice to have, in case you ever need to connect to the containers directly. In the end, it might look a bit like this:
upstream image --> your own common base image --> your own PostgreSQL image
upstream image --> your own common base image --> your own OpenJDK image --> your own Java application image
In general, building container images like this will lead to bigger file sizes than grabbing an upstream image (e.g. eclipse-temurin:21-jdk-noble) but layer reuse will make this a bit less of an issue (if you have the same server running multiple images) and also it can be very nice to know what's in your images and have them be built in fairly straightforwards ways. Ofc you can make it way more advanced if you need to.
Also, I'm a little bit wondering at how much all of this is really copyrightable in the end. Because if you keep it private I understand, but here it is basically for each package just a few lines, recipes to build the components that they don't own. Like trying to copyright the line "make build".
And it might be each the single and obvious way to package the thing anyway.
And speaking at the built artefacts, usually a binary distribution of third party open source software with common license should preserve the same rights to the user to access the source code, the instructions to build, and the right to redistribute...
It's a shame that competition for this position has been ramping up lately.
The evil part is in outright breaking people's systems, in violation of the implicit agreement established by having something be public in the first place.
I know Broadcom inherited Bitnami as part of an acquisition and legally have no obligation to do anything, but ethically (which is why they are evil, not necessarily criminal) they absolutely have a duty to minimise the damage, which is 100% within their power & budget as others have pointed out.
And this is before you even consider all the work unpaid contributors have put into Bitnami over the years (myself included).
But on topic: why not create docker.io/bsi and let /bitnami as is without new updates? Then nothing breaks; it just won’t be possible to do upgrades. You’ll then figure out why and possibly seamlessly switch to your own build or BSI.
> BSI is effectively democratizing security and compliance for open source so that it doesn’t require million-dollar contracts from vendors with sky-high valuations.
I suppose 50k isn't a million dollar contract, but it's certainly also not "democratizing" anything
The way I see it, a software project has only (1) code you maintain or pay someone to maintain for you, and/or (2) throwaway code that you will eventually need to replace with an incompatible version.
Nothing wrong with a project that is just gluing throwaway code because it's a gamble that usually pays off. But if that code is from third-party dependencies, just don't believe for a second that those dependencies (or any compatible forks) will outlive your project, or that their developers have any incentive at all to help you maintain your project alive.
It refers to a situation where a system is deliberately designed to fail (usually for short periods of time), to still provide some level of service while alerting others that the system is soon to be turned off.
You intentionally break something just a little to force dependents to notice, before turning it off completely
I thought it was an analogy to the electrical problem: flickering lights due to high demand.
With FrankenPHP, I can't imagine why I'd choose Bitnami anymore.
Edit: As I see it's true.
Source code for OCI images: https://github.com/bitnami/containers/tree/main/bitnami
Charts: https://github.com/bitnami/charts/tree/main/bitnami
If you look at the folders there, you'll see that all of the older Dockerfiles have been removed, even for versions of software that are not EOL.
For example:
PostgreSQL 13 (gone): https://github.com/bitnami/containers/tree/main/bitnami/post...
PostgreSQL 14 (gone): https://github.com/bitnami/containers/tree/main/bitnami/post...
PostgreSQL 15 (gone): https://github.com/bitnami/containers/tree/main/bitnami/post...
PostgreSQL 16 (gone): https://github.com/bitnami/containers/tree/main/bitnami/post...
PostgreSQL 17 (present): https://github.com/bitnami/containers/tree/main/bitnami/post...
> The source code for containers and Helm charts remains available on GitHub under the Apache 2.0 license.
Ofc they're all still in the Git history: https://github.com/bitnami/containers/commit/7651d48119a1f3f... but they must have a very interesting interpretation of what available means then.
[1] https://github.com/continusec/htvend
We'll see :)
If you're Bitnami it probably made sense to do it the image the way they did, but for everyone else, it's just a massive complication.
Personally I don't understand why anyone would have opted to use the Bitnami images for most things. They are really large and complex images and in most cases you'd probably be better of building your own images instead.
My guess is that there's a very small overlap between people who want to maintain Docker images, and the people who chose to run Bitnamis images.
At my previous company, we used it because of the low CVE counts. We needed to report the CVE count for every Docker image we used every month, so most of the images were from Bitnami.
There are many enterprise companies freeloading on Bitnami images, and I’m surprised it took Broadcom this long to make this change.
These aren't just for your laptop, they're supposed to be able to run in prod
I'm still stuck with 3 bitnami charts that I keep updated by building from source, which includes also building the images, all on our private registry.
The Photon images provide many other benefits not previously available to users of Debian images, including:
It's time to build your own from core / foundational images - something I recently learned and now seek to master.