Nutanix accused of violating open source licence in object storage product

Nutanix building in front of a blue sky
(Image credit: Shutterstock)

Enterprise cloud and storage company Nutanix has been accused of violating its open source licence by object storage platform MinIO.

MinIO said Nutanix failed to provide IP guarantees and source identification to its users, flouting a core principle of the open source model.

“Nutanix has been in continued violation of the Apache v2 and we believe they may also be in violation of the GNU AGPL v3 versions of MinIO,” the company said.

Garima Kapoor, co-founder and COO at MinIO, clarified the accusations further in a post on Linkedin, adding that “Nutanix has failed to convey MinIO’s original license headers and the text of the license, as well as the included patent and copyright licenses.

“Stripping off license headers on purpose to pass innovation from a start-up and showcasing it as their own is a willful infringement and more important against business ethics,” she added.

As a result, MinIO has revoked Nutanix’s licence or sublicence under Apache v2 and GNU AGPL v3,” it said in a blog post.

MinIO also claimed that it had been in discussions with Nutanix for three years, trying to resolve the compliance issues in good faith, however the company “has not made meaningful progress”.

The company said open source licences are critical for helping users understand from where their software originates, while also helping to improve security through transparency.

“It also guarantees basic freedoms of use and distribution,” said MinIO.


Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency


“We are disappointed to have to call out Nutanix, but we must protect MinIO users and ensure they understand the rights they are owed by Nutanix,” it added.

Nutanix told IT Pro that the company recognises "the value of the open source communities and take our participation and stewardship very seriously".

"With respect to some recent allegations in a blog that we may have used software in possible violation of an open source license in our Objects product, please note that Nutanix stands behind our products, including any open source that we incorporate into them, and commits to indemnifying our customers against intellectual property claims arising out of the use of our products, should the need ever arise.

"We will be reaching out to engage with the blog’s author promptly and will continue to update the community here," it added.

MinIO alleges that Nutanix has been distributing its object storage technology throughout the Nutanix Objects stack since its introduction in 2018, but has not disclosed this to its users.

Updated earlier this month, the documentation for Nutanix Objects does not mention MinIO and accessing the details of the product’s associated open source licencing requires a Nutanix customer login.

What MinIO's investigation found

MinIO published its step-by-step method of discovering the evidence to support its allegations.

  1. The company created a Nutanix Object Store from its UI
  2. Entered an SSH to MSP command:
    nutanix@PCVM:~$ mspctl cluster ssh [cluster_name]
  3. Attached to the object controller pod using the command:
    kubectl exec -it object-controller-0 -- bash

Screenshot of the terminal used by MinIO to determine the open source license violation

(Image credit: MinIO)

MinIO said its object storage binary was found in the Nutanix object controller pod and can be seen in the screenshot above.

“Nutanix just put a wrapper around a modified version of the MinIO binary inside their object storage platform,” MinIO said. “Nutanix also did not disclose the usage of MinIO in their Open Source Disclosures or EULA to their customers.

“Ultimately, this is about innovation,” it added. “MinIO continues to innovate in the space and we have worked tirelessly to create the best object store on the market. We are proud to defend that work.”

MinIO advised Nutanix Objects customers to assess their exposure to legal and security risks since they may not be on the latest version of MinIO Object Storage software and may not be receiving adequate IP licences from Nutanix.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.