Bug#803713: Elasticsearch should not be part of a Debian release

[Nicolas Braud-Santoni]

Control: clone -1 -2
Control: retitle -2 RM: elasticsearch -- ROM; NPOASR; unmaintained since ~2 
years; security issues
Control: severity -2 normal
Control: reassign -2 ftp.debian.org

On Thu, Mar 08, 2018 at 11:17:20PM +0100, Emmanuel Bourg wrote:
> Le 08/03/2018 à 22:50, Nicolas Braud-Santoni a écrit :
> 
> > Given that this is the last activity and the package, that the last upload
> > is almost 2 years old, and that no progress has been made towards fixing the
> > RC bugs (esp. the issues wrt. security), should we ask ftp-masters to remove
> > this package from sid?
> 
> +1

OK, requesting the removal.

Bug#803713: Elasticsearch should not be part of a Debian release

[Emmanuel Bourg]

Le 08/03/2018 à 22:50, Nicolas Braud-Santoni a écrit :

> Given that this is the last activity and the package, that the last upload
> is almost 2 years old, and that no progress has been made towards fixing the
> RC bugs (esp. the issues wrt. security), should we ask ftp-masters to remove
> this package from sid?

+1

Bug#803713: Elasticsearch should not be part of a Debian release

[Nicolas Braud-Santoni]

On Mon, Nov 21, 2016 at 09:33:18PM +0100, Hilko Bengen wrote:
> * Emmanuel Bourg:
> > Do you think elasticsearch should be removed from unstable?
> 
> Not necessarily. It should just not become part of stretch because there
> is no sensible way to support it.

Given that this is the last activity and the package, that the last upload
is almost 2 years old, and that no progress has been made towards fixing the
RC bugs (esp. the issues wrt. security), should we ask ftp-masters to remove
this package from sid?


Best,

  nicoo

Bug#803713: Elasticsearch should not be part of a Debian release

[Hilko Bengen]

* Emmanuel Bourg:

> Do you think elasticsearch should be removed from unstable?

Not necessarily. It should just not become part of stretch because there
is no sensible way to support it.

BTW: Apparently I was wrong about the 1.7.x branch no longer being
supported by the upstream project: A tag for v1.7.6 recently appeared in
the Github repo a few days ago. Their policy about security issues is
still Oracle-grade stupid and user-hostile.

Cheers,
-Hilko

Bug#803713: Elasticsearch should not be part of a Debian release

[Emmanuel Bourg]

Hi Hilko,

Do you think elasticsearch should be removed from unstable?

Emmanuel Bourg

Bug#803713: Elasticsearch should not be part of a Debian release

[Hilko Bengen]

control: severity -1 serious
control: retitle -1 Elasticsearch should not be part of a Debian release

At this point, there is no point in releasing with an elasticsearch
package.

There is no indication of a change in upstream security policy. In a
misguided attempt to slow down attackers, the upstream project has
actively refused to give specific information on how security bugs have
been fixed. This behavior is incompatible with promise #3 of our Social
Contract. See DSA-3389,
.

The open source core of Elasticsearch lacks features that are essential
for serious use in a datacenter or "cloud" setting: Encryption and
authentication/authorization for both client/server and inter-node
communication are only possible if a license for a non-free,
closed-source plug-in (formerly called "Shield", now "Security") has
been purchased. While there have been repeated enquiries and even pull
requests to add those features to the core, those have been constantly
ignored. See ,
.

In the space of cluster health monitoring utilities where Elastic has
started selling a non-free, closed-source plug-in called "Marvel", there
seem to be similar trends.

No Debian developer should feel obliged to put effort into supporting
packages for this software.

Users are better served using Elastic's "official" packages, even though
they would clearly not pass our packaging quality standards (Lintian
flags 10 errors in elasticsearch-5.0.1).

Cheers,
-Hilko