The Elasticsearch license saga

by | Feb 9, 2021 | Cybersecurity, Information Technology, InfoSec | 0 comments

As you may know from my posts, I like Elasticsearch. However, Elastic, the Elasticsearch company, recently announced it’s decision to change the license of it’s open-source products. Since then, the community largely reacted to this. Let me explain.

Benefits of Elasticsearch

Customers and the open-source community enjoyed a variety of services offered by Elastic through its products (like Elasticsearch). Elasticsearch is a distributed search engine providing a number of features that make data processing more efficient and effective while maintaining its ability of scalability, speed and resilience. Elasticsearch through its partner product Kibana, Beats and Logstash provide a simplified way of data visualization, ingest and reporting. The other very reliable feature is its distributable nature which allows it to handle a huge size of data without compromising performance. It provides a real-time search platform which provide the shortest time possible when a user makes a search.

The open-source community contributes much on this product through various ways like providing codes and documentation, bugs report, write of tutorial, blogs etc. Elasticsearch was providing the code under the Apache v2 license. All this makes everyone feel the meaning of “open” in “open-source”. A report by macrotrends shows that the company net worth from 2018-2020 is estimated as $14.33B. This is an indication of how big the customer base is, and the revenue generated help contribute to the open-source community.

The context

On February 27’th 2018, the Elastic company CEO, Shay Banon, delivered a message on their website that mealy read as an announcement for the release of the new repository for their products on the version 6.3. A new folder in the code, named X-Pack, was created and all the proprietary product code moved to that folder under the elastic license which many customer and open-source code community believed that was a way of facilitating greater collaboration.

He affirmed that their products had to be open source hence providing the opportunity to reach so many people who can provide their contribution through various ways and even enable a push for what was seen, at the time, as a pipe dream. He even committed himself that as a company they will ever maintain to be open as a way of building their business.

However, on January 14’th 2021, Shay Banon announced that they were moving away from the truly open-source license (Apache v2) to the newer Server Side Public License (SSPL). The open-source community was shocked to realize that in order to use the Elastic products, you now had to agree to the terms and conditions of the SSPL or the elastic license. The former as new as it looks deprive the organizations of their intellectual property rights when observed from the spirit of “open source” in the business environment:

By using an SSPL project in your code, you are agreeing that if you provide an online service using that code then you will release not only that code but also the code for every supporting piece of software, all under the SSPL. It’s not a stretch to interpret the wording of the license as requiring users of the SSPL’d software therefore to release the code for everything straight down to the bare metal.

https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks

From Elastic’s website:

https://www.elastic.co/pricing/faq/licensing

Why this move to the new SSPL Elasticsearch license

The elastic company felt that “enough is enough” and that they should protect its product from cloud service providers whose intention was to capture the value of the same product while contributing nothing to the open-source community, as expressed by Eliot Horowitz, CTO and co-founder of MongoDB. Together with elastic’s CEO, they felt that companies like Amazon that are providing this product as a Software as a Service, without the knowledge or the consent of the Elastic company while misleading the community that they are, is “not ok”. They tried and didn’t succeed to resolve this issue through courts.

A new hope

In response, AWS announced that it will create and maintain an Apache v2 licensed fork of Elastisearch and Kibana. They further expressed that the choice to fork a project was the right path forward when the community needs are diverging. To emphasize it, they stated that they are in the game for a long haul and ready to work in a way that will create a healthy and sustainable open-source practice.

Logz.io joined the fray and expressed their concern as to why they think the change of license from Elastic, at the expense of the open-source community, is “not OK”. In a retaliatory tone, they gave their objective to have projects driven by multiple organizations rather than a single commercial entity and plans to collaborate with such organizations (like Amazon) that believe that those products, Elasticsearch and Kibana, need to stay open source.

References

2021-04-18 Update

AWS announced they will be actively developing OpenSearch and OpenSearch Dashboard to replace Elasticsearch and Kibana, respectively. Both these new products will be fully opensource under the Apache 2.0 License.
Source: https://aws.amazon.com/blogs/opensource/introducing-opensearch/

Liked it? Take a second to support Tristan Dostaler on Patreon!

0 Comments

Leave a Reply

%d bloggers like this: