Getty Images

Docker Free Team concerns linger after mea culpa

Docker apologized for a 'terrible job' sharing its plan to deprecate a Free Team subscription, but some observers remain worried about security implications from the transition.

Docker issued an apology and some clarification after the end of its Free Team subscription roiled the open source community last week, but concerns about the transition remain for some users.

Docker clarified that it will not delete container images from Docker Hub, after the first communication from the company mentioned that data might be subject to deletion and access to accounts frozen after 30 days.

But users of the now-discontinued option still had questions about the potential for stale images to linger in soon-to-be-defunct Docker Hub accounts, while some commentators critiqued Docker's departure from its roots as an open source company. Other industry experts said this move is imperative for Docker at this stage of its business, similar to changes to Docker Desktop pricing in 2021.

"Their strategy is to focus on revenue-generating customers," said Larry Carvalho, independent analyst at RobustCloud, in an online interview. "Even large vendors have limited support for free tiers. Docker is tiny and trying to improve profitability."

Docker notified Free Team users March 14 that the subscription tier will be discontinued. Free Team subscriptions are primarily used by open source organizations, which now have the option to upgrade to a paid Team subscription, which starts at $300 per year, or join the free Docker-Sponsored Open Source Program, which requires an application and review process. The initial wording of the notification to Free Team subscribers raised alarms, given that it appeared to threaten the deletion of data and freezing access to accounts.

"If you own a legacy Free Team organization, access to paid features -- including private repositories -- will be suspended on April 14, 2023," the message read. "If you don't upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion."

Docker later issued an apology for the wording of this original notification in a company blog post published March 16 by Tim Anglade, the company's chief marketing officer.

"Public images will only be removed from Docker Hub if their maintainer decides to delete them," Anglade's blog post stated. "We're sorry that our initial communications failed to make this clear."

The Docker apology post also included a link to another company post about updates to the Docker-Sponsored Open Source Program, which had come under criticism as an alternative to Docker Free Team in the wake of the first deprecation notification. Docker also added that Free Team users comprise just 2% of its user base.

Container image security questions linger after clarification

Still, that 2% and other interested parties remained vocal in a thread on GitHub after the apology post. Posters to that thread expressed concern about whether images that remain on Docker Hub from deprecated Free Team accounts might grow stale and be subject to security vulnerabilities.

"The issue of security is completely left out of the equation and thus the trust in Docker is completely gone," wrote Björn Wenzel, platform engineer at Schenker AG, on March 17. "Especially with the question of what happens in a year? Will there be another announcement out of nowhere and again only 30 days and all OSS projects are dead?"

There are still some corner scenarios that will impact many in the coming months.
Saiyam PathakDirector of technical evangelism, Civo Cloud

There are some open source organizations that will struggle to come up with the money for a paid Team subscription but won't qualify for the Docker-Sponsored Open Source Program if they are commercialized, said Saiyam Pathak, director of technical evangelism at cloud hosting company Civo Cloud, in an online interview March 17.

"What about the individuals who [maintain] projects and make some money from it as well ... given how much time it takes to get a sponsorship granted for a project?" Pathak said. "There are still some corner scenarios that will impact many in the coming months."

This is also an opportunity for other organizations to supplant Docker Hub as a clearinghouse for open source container images, another GitHub commenter said.

"Honestly, in light of all this, I hope that the CNCF or the Linux Foundation curate a non-corporate, community-blessed container registry that is solely for F/OSS projects," wrote Jesse Adelman, a computing automation consultant at Ahead, a Chicago-based technical services company, in a post on March 17.

Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Software design and development