> Just to be clear: THEY already have to maintain the docker image and it makes it less secure for EVERYONE if the community now needs to either find a new github repo/company building it for them or everyone has to build it themselves because they do not trust random companies.
Wrong - it would be less secure if they did not share the source code and the Dockerfile along that too. As long as you take care to regularly update, where is the problem?
So just to be clear, they publish the docker image, they have an Github action which is basically free for them to build and release it into a free registry but they don't do it.
So i setup everything to do this on my github with their code and publish it on my package.
And you don't think this is stupid?
The problem is the critisim how they act and even if they release everything and its just building the image, you can't trust another source to upload the image someone else has build with this file. So now everyone has to build the same image.
The scenario you described is mainly just benefiting you. Whether Min.IO loses or wins something based on this decision, will remain to be seen. In either case they don't owe it either to me or to you to provide a built image, especially as they continue to provide the source, including the Dockerfile. In either case if in your setup you are not able to rebuild an image off of a Dockerfile, your setup is worth rethinking. Not to mention that on the security side, it's quite irresponsible to depend on an image from a public repo, without at least pulling it through an internal artifact management system with vulnerability scanning.
Wrong - it would be less secure if they did not share the source code and the Dockerfile along that too. As long as you take care to regularly update, where is the problem?