Thanks Yong for raising this. Indeed, it is unfortunate that there will be no more official MinIO OSS releases. It is also unfortunate that the latest Git tag with the CVE fix wasn't released as a container image. Initially (before the most recent announcement) I thought there would be at least new Git tags, so I started a project to build images for those [1]. But that's now useless, because the OSS repo is no longer updated.
I tried to find an alternative that provides both solid S3 and IAM/STS support, but could not find even one that's easy to start with - with the criteria of requiring just a one non-resource intensive containers, as we also need something supporting S3 _and_ STS/IAM for integration testing. There are a lot of S3 compatible alternatives without IAM/STS. What I didn't try is to check whether for example Ceph can be tweaked to support that. I also haven't tried localstack for integration testing yet [2]. Not sure whether every (potential) user recognized and understood the recent MinIO OSS changes. Technically, MinIO OSS is still usable for integration testing purposes and potentially for pure experimentation work. WDYT of adding a disclaimer on top of the current MinIO page clearly stating (and linking) the status of MinIO OSS and at the same time propose alternatives, for example Ceph, as you proposed? Robert [1] https://github.com/snazy/maxio-daily [2] https://docs.localstack.cloud/aws/services/iam/ On Thu, Jan 8, 2026 at 7:49 AM Yong Zheng <[email protected]> wrote: > > Hello, > > We have MinIO support as S3 compatible storage and this is great as it allows > users to quickly test out Apache Polaris as a catalog and write to a S3 > compatible storage. However, as MinIO is now under maintenance mode only for > OSS (https://github.com/minio/minio?tab=readme-ov-file), we won't be able to > get updated images from public image registry, should we consider switch our > primary getting-start example to non-MinIO one instead (the current one is > MinIO as backend: > https://github.com/apache/polaris/blob/main/getting-started/quickstart/docker-compose.yml)? > Without doing so, users will be likely pulling down outdated MinIO images > with critical CVEs couple months later for their local setup to play around. > If using outdated MinIO is a concern as the getting-start example, maybe we > should switch to the Ceph one > (https://github.com/apache/polaris/blob/main/getting-started/ceph/docker-compose.yml) > but updated it to match the same layout? > > Thanks, > Yong Zheng
