
Elasticsearch end-of-life in Debian Stable - Rovanion
https://lists.debian.org/debian-security-announce/2015/msg00290.html
======
gnoway
Elasticsearch has provided their own package repositories since December 2013.

[https://www.elastic.co/blog/apt-and-yum-
repositories](https://www.elastic.co/blog/apt-and-yum-repositories)

~~~
vbernat
It's not a substitute to distribution-maintained packages. With no security
support, you'll have to track and upgrade to the latest version. In contrast
with other software, you'll have to upgrade your ES cluster (and potentially
apply specific upgrade steps) several times a year.

~~~
gnoway
I wasn't asserting anything here, just pointing out that there has been an
alternative for almost 2 years.

It looks like ES separates repos by version[0], if that helps at all.

[0]
[https://www.elastic.co/guide/en/elasticsearch/reference/mast...](https://www.elastic.co/guide/en/elasticsearch/reference/master/setup-
repositories.html)

------
0x0
Seems like Debian is getting more aggressive on EOL'ing specific packages'
security support, and/or upgrading to new upstream releases in the stable
distro, lately. There's been version bumps on mysql, php, openjdk and I think
virtualbox.

At least we're getting security support(1), but it's a little concerning that
more and more upstream vendors seem to leave long-term distros in the dust :-/
Is this a new development? I can't remember similar EOL announcements even
just a year ago. Although better to actually announce this than letting
packages linger unattended/unannounced...

(1) except php security support in wheezy is also already EOL'ed, before the
usual wheezy EOL.

~~~
derefr
I feel like Debian has maybe finally cottoned onto the idea that it only
really makes sense to do "transparently apply security upgrades"-style LTS
support for packages that are actual OS infrastructure, because people are
increasingly vendoring/containerizing anything that affects whether their app
works.

In other words (presuming containerization): Debian LTS _is_ the thing you
install a Docker daemon onto and then forget about. But Debian LTS is
obviously _not_ for use as a container base-image (container-images don't
auto-upgrade; and they can be QAed on each app release to ensure the app works
with ABI changes of deps.)

Given those two facts, LTS support these days really only has to apply to
things that will be run as part of the (from a developer's perspective) black-
box abstraction that is "the OS", rather than considered a part of the
"service and its dependencies" slug which gets versioned and deployed by the
service-owner.

~~~
amyjess
> I feel like Debian has maybe finally cottoned onto the idea that it only
> really makes sense to do "transparently apply security upgrades"-style LTS
> support for packages that are actual OS infrastructure, because people are
> increasingly vendoring/containerizing anything that affects whether their
> app works.

Or, for that matter, since Elasticsearch is written in Java, most Java
developers just use Maven to pull in dependencies and don't even bother using
the OS package manager.

~~~
mkhpalm
I don't think the vast majority of us know how to.

------
dikaiosune
For someone who's not terribly familiar with Debian's packaging system and
policies, can someone explain this? Is it saying you'll no longer be able to
type

`apt-get install elasticsearch`

in future Debian releases? Or is this something else?

~~~
orik
this is kinda correct, you won't be able to get it like that out of the box
anymore in jessie stable, but you will be able to get it in unstable or by
adding back ports to your system.

they think it's too insecure to include in stable.

~~~
duskwuff
Not so much that it's "insecure" in general; more that upstream has made it
infeasible for Debian to provide backported security patches for a stable
version.

~~~
technomancy
I'm not sure there's a difference in practice.

Sure it's not that there are known problems, but security isn't a thing you
have or don't have; it's a process. If your process for identifying and fixing
security flaws is broken, that's insecure.

~~~
duskwuff
Upstream is patching security flaws just fine. The problem is that you can't
get the security fixes _alone_ ; they only come along with version updates,
which Debian stable doesn't want.

~~~
technomancy
I understand this; I'm saying that a security process that ignores users who
value stability over the latest hotness _is_ broken for all use cases I
actually care about.

