Bug#803713: Elasticsearch should not be part of a Debian release
Hilko Bengen
bengen at debian.org
Sat Nov 19 15:33:45 UTC 2016
control: severity -1 serious
control: retitle -1 Elasticsearch should not be part of a Debian release
At this point, there is no point in releasing with an elasticsearch
package.
There is no indication of a change in upstream security policy. In a
misguided attempt to slow down attackers, the upstream project has
actively refused to give specific information on how security bugs have
been fixed. This behavior is incompatible with promise #3 of our Social
Contract. See DSA-3389,
<https://github.com/elastic/elasticsearch/issues/12398>.
The open source core of Elasticsearch lacks features that are essential
for serious use in a datacenter or "cloud" setting: Encryption and
authentication/authorization for both client/server and inter-node
communication are only possible if a license for a non-free,
closed-source plug-in (formerly called "Shield", now "Security") has
been purchased. While there have been repeated enquiries and even pull
requests to add those features to the core, those have been constantly
ignored. See <https://github.com/elastic/elasticsearch/issues/664>,
<https://github.com/elastic/elasticsearch/issues/1379>.
In the space of cluster health monitoring utilities where Elastic has
started selling a non-free, closed-source plug-in called "Marvel", there
seem to be similar trends.
No Debian developer should feel obliged to put effort into supporting
packages for this software.
Users are better served using Elastic's "official" packages, even though
they would clearly not pass our packaging quality standards (Lintian
flags 10 errors in elasticsearch-5.0.1).
Cheers,
-Hilko
More information about the pkg-java-maintainers
mailing list