Unfortunately, since June 2018, we have witnessed significant intermingling of proprietary code into the code base. While an Apache 2.0 licensed download is still available, there is an extreme lack of clarity as to what customers who care about open source are getting and what they can depend on. For example, neither release notes nor documentation make it clear what is open source and what is proprietary. Enterprise developers may inadvertently apply a fix or enhancement to the proprietary source code. This is hard to track and govern, could lead to breach of license, and could lead to immediate termination of rights (for both proprietary free and paid). Individual code commits also increasingly contain both open source and proprietary code, making it very difficult for developers who want to only work on open source to contribute and participate. In addition, the innovation focus has shifted from furthering the open source distribution to making the proprietary distribution popular. This means that the majority of new Elasticsearch users are now, in fact, running proprietary software. We have discussed our concerns with Elastic, the maintainers of Elasticsearch, including offering to dedicate significant resources to help support a community-driven, non-intermingled version of Elasticsearch. They have made it clear that they intend to continue on their current path.
Companies that publish open source must realize that they cannot make money from the "software". Open source gives companies a brand, that they can then leverage to do other services like support, consulting, hosting, merchandise, events, etc.
There was a time when service companies wanted to move into products because of high margins and artificial scarcity, but enough open source will ensure that software licensing is not a sustainable model to seek rent, and product companies must also move to services to be able to grow and sustain.
> but enough open source will ensure that software licensing is not a sustainable model to seek rent
So your solution to this is to just make it so no one can make money doing work.
Except Jeff. Jeff gets all the money.
In my mind, a company that makes lots of free contributes to open source is an open-source-friendly company, but this thread and the other on the Elastic post made me realize just how many people think that a True Open Source Company (whatever that means) should prefer to go out of business to dealing in proprietary software.
I personally don't care for any of these puritanical viewpoints that deny economic realities (there's only so much a person or a collective can afford to give away for free, money doesn't grow on trees, etc). Open source is good, but thriving, sustainable open source depends on a symbiotic relationship with for-profit institutions.
They started on their own Redis fork a while ago as ElastiCache has had baked in SSL for over a year and half now. While it's possible they've added it via an stunnel type software stop it, I'd bet for efficiency and simplicity it's baked into their internal fork: https://aws.amazon.com/blogs/security/amazon-elasticache-now...
I think this is a win for the Elastic community as a whole, but presents a real problem for Elastic the company. And that begs the question of what happens to the Elastic community if there's a real fork. And what happens if Elastic the company is very negatively impacted? Do we see a fracture of the community?
Looking even farther out, at this point does it make sense for any startup looking to create infrastructure software to open source it? If their project becomes successful, they'll get eaten up by the hosting providers. It makes smaller scale open source more commercially viable because you won't attract the attention of the providers that would come in a take your business.
Will be interesting to at least watch what early stage VC investment in open source companies looks like over the next 12-24 months. Will the open source pitch work for series A investments or will investors shy away?
I think their open sourcing of this work is a direct response to the recent license changes. If it weren't for those, they might have just kept this work closed and in use only for the hosted product (like they do with many other projects).
They took the closed XPack code and put it into the open source Elastic repo, but under a commercial license. It muddied the waters for anyone looking to use or contribute to the open source.
Now the default install includes X-Pack, and you have to go out of your way (assuming you even realize that there is difference) to install the 100% Apache 2.0 licensed version.
Of course it still does, just not under permissive licenses. Hopefully the industry will converge on Kyle Mitchell's license for this, instead of everyone coming up with their own licenses:
I'm no lawyer, but this sounds like complete nonsense.
I wonder why you say that? It's kind of obvious that somebody was going to do it sooner or later to protect themselves, no? Perhaps fearing the license change?
> So you effectively get a fork.
Yup, I assume that will happen, too.
With Elastic, this looks like it's half marketing on AWS' part. They want to start repairing their image in the OSS world so they say they're doing this for the community.
So it does seem to be a pattern this year.
I’m actually suprised they’re moving so slowly with OSS. I assumed they were going to go a lot more aggressively in this direction when they hired Adrian Cockcroft over 2 years ago now.
Small scale open source isn't technologically viable.
> In the past they haven't seemed to be willing to contribute to the OSS
They are extremely hostile to the idea.
As I understand it, Amazon took ElasticSearch and monetized it, therefore competing directly with Elastic (the company that develops ElasticSearch). Elastic felt Amazon was taking advantage of Elastic's commitment to open source, and started developing new features under a proprietary license, but releasing them for free. The idea was to prevent their work from benefiting a competitor.
Basically in this blog post, Amazon is trying to make the case that they're a Good Tech Company and Elastic are the Bad Guys or something. Generally I'm all for nuance and "the truth is probably somewhere in the middle", but Elastic is the rare company that truly is committed to open source (at least at the current moment in history) and Amazon is, well, Amazon.
I know there's more context here, and I'm sympathetic to Elastic's position, but "Elastic loves open source so much they made proprietary features to hurt their competitors!" is a bit....Orwellian as far as defenses.
I don't think this comes across as pro-Elastic as you think it does. :)
I don't think that's a fair interpretation. They're not going on the attack, after all. Amazon's capitalization on ElasticSearch constitutes an existential threat to Elastic, not the other way around. Elastic is very much defending its existence, which, by the way, is the primary sponsor for the open source project. Moreover, the interpretation ignores that the "proprietary features" in question (including their source code) are available for free to the public.
I'm open to the idea that there were better (i.e., friendlier to open source) recourses available, but I'm not pursuaded by purist arguments that don't address the existential threat to Elastic and the ElasticSearch project.
The first is not a given at all, and the second is what leads to it being a foregone conclusion with the question being not if but when someone will eat your lunch whether its Amazon or users choosing to DIY.
Most of Elastic's critics in this thread seem to believe that, as the primary sponsor of the project, everything Elastic does must be open source (apparently) at all costs or they are somehow anti-open-source or otherwise "worse for open source" than Amazon.
Given that and the fact that Elastic is the primary sponsor of the ElasticSearch open source project, it is obvious that this action actually is in the best interest of open source, as it allows Elastic to continue sponsoring ElasticSearch.
Most of the criticism of Elastic in this thread seems to be predicated on the purist notion that proprietary software is the antithesis of open source software. That's obviously untrue, and we really need to disillusion ourselves of this.
The ability to fork in open source is a feature not a bug and ultimately the community of users and developers of these projects will decide what works best for them. In this case it isn't even a fork, it's new plugins that the community can consume under a FOSS license.
If by "what do you expect a company to do" you mean what is _ethical_, then what's good for their business seems like an entirely orthogonal concern to me.
If the question is: What is good for the continued viability of open source -- I honestly do not know.
> Elastic is the rare company that truly is committed to open source
On their face, those two statements seem mutually exclusive. What context am I missing that would make them not so?
Don't think it was that nefarious. More likely that the original developers were committed to open source, and then took lots of venture capital money to keep coding and making cool things. Now those VCs want a return on their investment, and effectively have control over the product.
It’s a strategy that isn’t working out for a bunch of companies.
Releasing it for 'free' is the not the same as an equitable Open Source license.
It's nothing like open source; it's proprietary software that attempts to leverage the goodwill of the “open source” label without adhering to what that label means.
> We aren't all hippies who can sit around at MIT.
Look, if open source doesn't work for your business situation, that's fine, just don't lie about being committed to open source where you are truly only committed to your own profits, all while making disparaging portrayals of the people who actually are committed to open source.
In your mind, how should a "committed to open source" company respond to an existential threat (not only to the business, but to the project given the business is the primary sponsor of the project)? Are there better open source licenses that allow them to meet the same ends? Or should they just cease to exist, lay off their staff, and abandon the project out of a Stallmanic dream of open source?
Why? Because < 100% of their code is open source? This seems infeasibly idealistic, and a false dichotomy. You can be a proprietary software company that is still very committed to open source. Anyway, if < 100% is the standard, surely Amazon is worse yet, no?
AWS ElasticSearch is not great, but it's way better than Elastic.
I realize "patent" is a dirty word around here, but aside from that, what are the issues with the above strategy and is there truly no possible way around those issues?
You kidding? You have no idea how many user authentication patent battles have been fought.
Or not. I'm no fan of software patents.
You can't beat Amazon. You can't beat google. You can't beat Microsoft.
I'm totally supportive of developers and their rights to release software under whatever license they feel appropriate, but if you release open source software, benefit from your software being open source, for probably years, and then someone else monetizes it... I'd argue you really ought to have seen that coming from the get-go. The license explicitly allowed it, it's not a loop hole that nobody knew about, it's absolutely intentional.
If people want to move over to shared source licenses like SSPL, or heck, even just close the source... that's fine too. But please don't try to call it open source or defending open source. It's defending a profit model that stopped working. Totally reasonable thing to do, but it's nothing to do with open source being corrupted.
You used the phrase 'open source' 9 times in your three paragraphs, but didn't mention 'free' or 'freedom'. (Hmm, the F in FOSS may count as one veiled instance.)
Talking in terms of freedom for people to use free software however they want makes more sense than trying to dance through the forest of varyingly-free 'open source' licences.
I think we have to separate definitions from strategy/goals: the OSI open source definition and he FSF Free Software definition—the latter of which seems to be what RMS views Free Software as entailing—a remarkably similar. The difference seems to be that RMS and the FSF view preventing non-Free software as an important goal, and this prefer licenses which tend to have the effects of preventing downstream non-Free derivatives and encouraging people to relicense other software under them, whileany others in the FOSS universe prefer promoting FOSS creation and use to preventing non-FOSS software..
But I think he described it very well. Open Source, I am opening it and I don't care about Your Freedom, nor my Freedom or anyone's Freedom. And you should not judge me whether I care about it being Free or Not.
This is the crux.
No two people agree on what this actually means, and it sidesteps any discussion of freedoms.
We now have a cottage industry of people who harvest the fruits and sell them so end users don't have to pick them themselves and also others who use the free fruits to manufacture and sell milkshakes at higher margins than if they would have to grow their own fruits or buy them.
The relationship with end users and ideology is broken as is the pipeline of new contributors as end users do not anymore see the value and ideas that drove the initial plantations as they deal with fruit pickers and milkshake makers.
At this point open source loses its reason to exist and the people still planting and offering fruits for free will inevitably question what they are doing if they are only enabling third party businesses, but inertia means they will continue as that's their life work. But there is unlikely to be a second generation after them so that's the end of the movement. The story here is the commercial interests have cut the branch on which they and everyone else sit. For them it doesn't matter its just money not ideology and they will find ways to profit but the loss is to end users. So for open source to be meaningful its has to think carefully about how it will interact with commercial interests as mix and match will kill it in a generation.
Another thing to consider is the aspect of tree tending. If you are a professional tree planter who has worked at a tree plantation with a big wall around it, once you left, you won't be able to point at the tree any more and say "look, I planted it". E.g. when trying to get hired at another tree plantation. The only thing left of your own creation would be the diminishing memories you had of the tree growing, having its first leaves, first real bark, etc. Maybe your company won't like your tree for some reason and burn it. If it's outside, it can't be logged. If the company pays you to tend the tree, if they fire you you will still be able to tend it at a different company. Red Hat or Sun can be bought but the trees were outside of the walls, so the damages to the community were comparatively minor.
Linux is the canonical example. It gets contributions from everyone. Why? Well, I'm no expert, but it looks like it's because everyone wants to benefit from the latest changes, and the easiest way to do that is if everyone commits. Diverging forks are expensive, and get less peer review.
Open Source is a weird beast inside capitalism; it's this common ground between a bunch of varied corporations and a pool of random users. The fact that this amazing piece of infrastructure is just available and constantly maintained by its own users is more amazing than any rant about software freedom I've ever read.
Best of luck to all the FOSS developers trying to put food on the table through their open source work, I really do wish them the best, but let's at least be fair; traditional open source projects are doing great. Better than ever, imo. Whether it's desktop apps like Krita and Blender, infrastructure like the Linux kernel, web frameworks, programming languages, virtual machines...
This aside, I also definitely hope nobody feels offended by these opinions, open source means different things to different people. Regardless of what it means, I'm hoping the best for the future of open source, and I remain strongly optimistic.
That is completely wrong, even for Linus, but especially to the ones that came before who called it free software. They did care what happened to it. They wanted it to stay free such that it continues to benefit society and enables people to do computing freely.
There have been a number of changes to Amazon's policies over the years, and personal participation ("outside activity") is really straightforward now. For the vast majority of cases you just need to submit a ticket with details, and then it is auto-approved.
For comparison, you can have a look at Google's open source policy on personal projects here: https://opensource.google.com/docs/iarc/
If you are an employee and have questions, drop me a line at msw at amazon.com
So the prospects of Amazon reimplement all the popular open-source software someday is viable?
Amazon's policy on outside activity is very reasonable.
But honestly, whether the companies are 'right' or not isn't my point, and I hope it's not what people take away from my ranting. I only wanted to make a point about the narratives around FOSS being destroyed. People chose to build businesses on open source; sometimes it worked, sometimes it didn't. That's all we're learning.
Contrary to reports of its death, open source is alive and well.
Gotta learn to spot the fakes.
I think a _lot_ of people say "No" to that question. Are Redis/Mongo et al "Free Open Source Software"? I tend to think not. I'm completely behind their right to change the license freedoms they choose to grant.
But at least in my opinion, it's no longer "free open source software".
It's quite clearly not rms's definition of free software. It's less free than the EFF's definition of gpl (in any of its versions). It's almost certainly not what ESR means by "Open Source".
I don't know who gets to say what is and isn't "FOSS", but I'd suggest all three of those have at the very least "prior art" ownership of the definition, and the Mongo/Redis clearly do not have any standing to define that term...
That should be FSF.
(I won't stealth edit it to make it looked like I didn't fuck up tho...)
However, this is also when Elastic started muddying the waters (to quote the AWS blog post).
Most of the new features across the Elastic stack that were added in the past couple of months (Index Lifecycle Management, APM UI, Infrastructure and Logs UI, Kibana multi-tenancy, Kibana Canvas) are not added to the Apache 2.0 codebase but are only available in the free-but-not-open version. These features can be used for free with the Basic subscription (no registration needed) but only under the terms of the Elastic license.
And this Elastic license is where AWS feels the pain. It clearly prohibits SaaS offerings:
> You agree not to: [..] use Elastic Software Object Code for providing time-sharing services, any software-as-a-service, service bureau services or as part of an application services provider or other service offering (collectively, "SaaS Offering") [..]
The license is very similar to moves that MongoDB and Redis made recently. Only Elastic is just now doubling down on adding new (and highly demanded) features to their proprietary offering.
Sure, Lucene might be all you need, if all you need is some basic freetext search on a small set of data that fits on a single machine.
Though maybe you misspoke and meant to say "Discover Solr"...
Personally, I never had to use more than 1 machine even for huge data sets (JFYI, Orbis and Wikipedia fit onto one bare metal server).
Monitoring is available in the free subscription, which cannot be used by SaaS providers. And now that we have an alternative: the Elastic monitoring plugin is pretty neat, but the Open Distro Performance Analyzer looks way more powerful. I’ve had the Elastic monitoring UI and a regular ‘perf top’ open with still no clue as to why Elasticsearch was eating CPU (relative to the query load). It looks like Performance Analyzer brings far more to the table.
That's called Source-available and sometimes that's even worse because you (legally) cannot re-implement something similar after you have looked at the code.
> but you cannot (legally) use it without a paid subscription
Sounds worse than my thoughts in the comment, considering the pricing for self-hosted nodes (happend that I know them).
Have there been any examples of this happening before?
And it doesn't appear that AWS is hosting these right now, just distributing so they must be paying some kind of licensing for ES. But I'm sure that will change.
Re OpenES, its an apache licensed distro without proprietary commercial bits.
One of the concerns I have had with the recent trending of some opensource companies (elastic, timescaledb, and others), is that those who mix in proprietary code into their opensource repos, effectively taint contributors who can't even look at git history on a project without viewing stuff thats not opensource.
Did AWS do the same thing with Mongo?
I believe in response to some licensing changes MongoDB made, so the AWS service targets the last permitted license release by Mongo.
*I forgot to mention, they did not release the code for this as you may have been looking for apple-to-apple comparison with the ES situation.
Amazon DocumentDB was in development for a long time, and development started well before any of the license changes that MongoDB (the company) made to MongoDB (the database).
I don't know if this is a bad pattern in general for the company that originally created the core FOSS technology. If your business model is support/consultancy this may work to your advantage.
For example, I could build a multi-site WordPress instance, white label it, and resell it as a custom blogging platform.
As someone who has a very strong desire to continue to be able to make a living while making open source software, I've been thinking long and hard about all the possible paths to take while maintaining open-source software as a job that pays the bills enough to run at least a small business.
Some paths and possible outcomes are:
- Open-core: Make most code pure open source, and then save some good stuff for pure proprietary. The lines are not _too_ blurred here, but this can get annoying. (Elastic's X-Pack was _super_ annoying to deal with back in the 2.x days). Risks: you have to balance crippling the core versus building compelling proprietary features. You have to add additional complexity into both codebases to deal with a clean delineation. Amazon (or other bigco) can re-implement open-source replacements for your proprietary parts.
- Source-available: This in my mind includes any of the recent Redis Labs style licenses. Pros: more convenient from a setup perspective. Cons: Incredible legal risk for your users (compliance is harder). Uncertainty as all these licensees are new and possibly one-offs. Currently, there is a lack of goodwill around these licenses. Amazon can re-implement your entire interface (like with Mongo).
- All open source: Simple, clean, but Amazon can just take all your code and replace you, right?
It's possible to assume that all scenarios end poorly, but I really don't think so.
Take any famous chef. They probably have published a cookbook with recipes for many, if not all of their most popular dishes. People still eat at their restaurants for at least the following reasons:
- They want to experience the dish from the actual chef's establishment. Whether it's to be sure they're getting the real deal or simply for the image aspects of the experience, it's still worth it.
- They know that the chef is always experimenting and pushing new things that aren't _yet_ in a cookbook, and they want to try it.
Bringing this back to software, I am confident Elastic still has a reputation of being able to build a better Elasticsearch hosted service than AWS (in my experience, Elastic's is far superior). I also am confident that Elastic will continue to innovate using their proven experience building search products in the future, and that's a good reason to use their products or software over AWS.
I believe that if you want to make money in open source you should do it by having valuable experience with some particular open source software that others are willing to pay for, not by building legal barriers to others doing the same thing. That's what I plan to do for my business and I believe Elastic can and will do it too.
My hope is that in a few years after all these "clever" attempts to build moats around open source have proven futile, people will go back to good old-fashioned experience leading the way. But maybe I shouldn't hold my breath.
We'll be known as the team that created and grew the project, and we'll have a guaranteed job at Amazon and a bunch of other places doing something we have unique experience with.
My goal isn't to leverage open-source software into enough of a moat to build a billion dollar company. If it was, then I might be unhappy if Amazon broke that moat.
I'm totally happy building a sustainable small business. Maybe even one that won't last forever. Our team is small, our costs are low, and we are comfortable. We are growing, sustainably, and providing real value to our customers in the process (or they wouldn't pay us the rates we require to stay in business).
I mean, in our case, we're building a geocoder. We'd have to raise, no exaggeration, tens of billions to build a moat considering the current market leader is Google. There's no way to guarantee that outcome.
On the other hand, there is _so_ much room left after Google for other companies if they don't have to get massive. There's room for us, and at least a dozen other companies I know of that have their own take on geocoding that their own customers appreciate.
What should we have done instead, that Elastic would have agreed to? We have customers to support"
And this is where the spot he is in gets tighter. Because now the aws business model threats anybody using X as Amazon's user that should be monetized.
So I don't see Amazon backing off profits, and I don't see the OSS community getting any less pissed off from not seeing a piece of the cake.
This story (Mongo, elastic co, etc) seems far from being over.
A good example is RedHat. There is basically no money in simply selling operating system licenses anymore, but someone has to keep developing it. Amazon makes lots of money off of EC2 instances. They could easily throw a few million a year into paying kernel developers. But will they?
Are they just going to be a free rider, while keeping anyone else from being able to make any money too?
Elasticsearch is built on top of Lucene. When Elastic received triple digit millions in VC funding, did they pay the Lucene developers? They're not even Apache Foundation sponsors, as best as I can tell.
>Amazon makes lots of money off of EC2 instances. They could easily throw a few million a year into paying kernel developers. But will they?
Amazon contributes back to the Linux kernel. How much contribution is needed to make it "right"? How do we determine it? Does Amazon need to employ them directly, or sponsor projects? What about their Platinum sponsorship of the Apache Foundation?
Source: I work at Elastic.
That's definitely not new; that has been observed as a natural consequence of Free Softw
are licensing since at least 1990-ish. And I only say that as the latest possible date because it's when I first got internet access and saw discussion of it.
By forking on an earlier instance of the codebase for ES and Kibana they're not only creating an open source version of the code but also attempting a fork of the community - plugin developers, user groups, etc. It's extremely frustrating.
EDIT: If folks actively building plugins have felt pain here because of decisions by Elastic, then my view on this point changes considerably, obviously.
I find it very hard to believe there was no compromise to be had here between the current Elastic roadmap for their product and their previous work.
How is this good for users of the current tools? How does this help create better capabilities on a common platform? Will this encourage users to build businesses on elasticsearch open source elements?
I'm not sure where the community ends up after this, so I'm not sure I can support by using AWS' elasticsearch tools.
Why wasn't ElastAlert used / built upon for alerting? https://github.com/yelp/elastalert
Or why wasn't ElasticSearch SQL used / built upon for SQL? https://github.com/NLPchina/elasticsearch-sql
Or why wasn't SearchGuard used / built upon for Security? https://github.com/floragunncom/search-guard
All of them have Apache 2.0 license.
According to the release blogpost , "SQL Support [...]is an improved version of the elasticsearch-sql plugin."
Sounds like they are building on it, as you suggested.
Looks like it was. https://github.com/opendistro-for-elasticsearch/security-ssl...
floragunn GmbH Copyright 2015-2018 floragunn GmbH
More generally: why should AWS get to leverage its near-monopolistic position in the SaaS market to perform essentially hostile takeovers of the software projects it packages and runs? Simply because they have the resources to do it?
The code was open, and the company decided to close it for the new versions, so it forks. Forks are common when people don't like the corporate direction of an OSS project - It's a strength, not a weakness. Openoffice/Libreoffice, Hudson/Jenkins etc.
Imagine if Linus said that the next version of Linux would be paid-only.
Within 15 minutes there'd be a new librelinux repo that people could contribute to instead.
Someone was going to make a new fork anyway - This is Amazon putting their money where their mouth is to fund and support that new fork.
Would you feel the same if AWS built a drop in/api compatible system from scratch?
>>This means that the majority of new Elasticsearch users are now, in fact, running proprietary software. We have discussed our concerns with Elastic, the maintainers of Elasticsearch, including offering to dedicate significant resources to help support a community-driven, non-intermingled version of Elasticsearch. They have made it clear that they intend to continue on their current path.
... maybe I'm misreading your comment, but it sounds like AWS tried to find a compromise, including contributing to upstream, and were shut down (and all their content about future contributing seems to say "we'll send it upstream, but it depends on whether Elastic accepts it," so seems to corroborate). It honestly seems like you get more certainty that everything you're using from AWS is open and will remain open, and Elastic is going to keep creating uncertainty / drive to proprietary source-available.
That said, I also totally understand disagreements with Elastic’s decisions on charging for security, etc and why that causes concern. As a user I wish I wasn’t staring a fork in the face and I’m hopeful things get back to equilibrium here soon as a single community.
I jotted down instructions to run the docker containers based on a few different solutions from different places: https://gist.github.com/mcescalante/6be03751c820677cf0f15c7b...
I'm sharing this because I got the vibe from the linked post in the comments and the overall marketing of "Open Distro for ES" that Elasticsearch was 'not open anymore' and had just discovered the Apache 2.0 builds within the last week.
Since when is anybody entitled to any free software. Projects can do what they want with their code, and while free software (the Stallman kind) is nice, if projects cite you as the main reason for their change of direction, you are intellectually dishonest if you just blame them for not being willing to do volunteer work (for you) anymore.
This, to me, looks like an abusive "look what you made me do".
What the blog is saying is "If you build an open source tool and people put their time and effort to using it, closing more and more of the toolset to paid add-ons isn't cool".
AWS just said "Hey, we can build those ourselves and give back to the community". They volunteered and made it happen.
It's the biggest risk to open source right now. They are following the strategy of "commoditize the complementary good". Since Amazon makes money selling machine cycles, they want the software to be free.
FOSS should not be an advertising stunt that gets walked back by coupling and interleaving FOSS with proprietary... especially not a project that already has community contributions.
There are plenty of FOSS business models. If those aren't profitable enough, go proprietary.
We've seen this happen repeatedly through many open source projects over the last couple of decades. Take the Jenkins/Hudson split, for example, or OpenWrt/LEDE, Node.js/IO.js, or to stretch even further back Mambo/Joomla.
The whole purpose of the open source license is to ensure that you are always able to patch, support, and maintain what you're running. That you're not stuck depending on a single company to keep your software running. That you're always able to add missing features as you see them, etc. (obviously, the license you choose dictates whether you have to provide those back).
By mixing up proprietary code with open source code Elastic betrayed those central ideals of open source, as have Nginx and any number of companies that have adopted this model. The reason why should be pretty obvious. By building the company model around premium modules, they have disincentivised themselves to fixing or enhancing the open source version of the software. Worse, they're not incentivised in any fashion to even accept patches that open source contributors provide that provide the missing features etc.
By way of example, there's a fix for a common issue in Nginx that has landed in their upstream commercial version of Nginx, that hasn't made it in to the open source version (at least last I saw it hadn't, and the fix had been in upstream for quite a while). Nginx ignores DNS TTLs, and can seriously trip you up unless you happen to know to use a particular combination of variables and statically configured DNS resolvers in nginx to make it DNS TTL for servers it proxies too. The company behind Nginx has had zero incentive to provide that in the open source version, or accept patches that fix that behaviour. That leaves people tripping over the same bug for years on end, until they discover, just like so many before them, those blog posts that detail the behaviour and how to save yourselves from it.
What each of these companies have done essentially makes actions like Amazon's actions here completely inevitable.
Then, someone starts selling apple sauce and it makes lots of money.
Now the wizard wants to get rich too... but their sauce isn't good enough, so they try to lock down the spell. People get upset. They helped improve the spell, why should the wizard get all the money? Or their livelihoods now depend on the spell, why are they suddenly forced to pay?
Now the apple guy decided he's going to stop playing that game, and starts supporting/improving/evangelizing a restriction-free apple incantation.
Story to be continued...
A company turned a modest profit? Say it isn't so!
The guy who wrote ElasticSearch created a company to finance the development of the project. For most of their history, they released their source code under a permissive license in good faith. Amazon abused that good faith, so now Elastic continues to make the source code open and license it freely to customers and the open source community (just not competitors).
I've got no beef with Amazon, but you're kidding yourself if you compare them with Elastic in terms of ambition, greed, commitment to open source, etc.
These debates go back decades.
>Basically Amazon screwing Elastic. Take their code and monetize it, not giving anything back. When Elastic changed their license to prevent it, Amazon forks it.
I do not see how Amazon is taking advantage of Elastic here. Elastic gave an offer of open source without compensation, Amazon accepted their offer, and now Elastic isn't receiving compensation. Simple as that.
I don't think that's true. Perhaps it's a big risk to "open core" business models, but in my mind "open source" is not about protecting your right to monetize software. Elastic wouldn't exist without Lucene, and when Elastic was flush with over 100M in venture capital, how much do you suppose they "gave back" to the Apache Software Foundation?
There are plenty of viable FOSS business models (consulting, hosting, support, etc) that are not antithetical to my hippie pinko Stallmanesque beliefs about software, so I will not be sad to see "open core" businesses get royally forked.
A company writing open source alternatives to proprietary licensed code is the biggest risk to open source right now?
My first read made me think it was in context to a company open sourcing code, particularly hosted software. If your product is SaaS (particularly infrastructure software), one might think twice about open sourcing it, or building it as open source.
I don't know the history of elastic though, so the above may not be an accurate interpretation given more context.
I am now curious if there is a license that allows people to profit using software, but not profit by selling software that conforms to some API. Basically gating the company to be the only company who can provide the SaaS solution.
However, I don't think that license would apply to the actual API / algorithm, just the actual source.
I think this is when it starts to bleed over into software patients.
Amazon has never touched or forked an AGPL project.
With the AGPL, if Amazon makes a change, they MUST make source available. No ifs, ands, or buts.
Disclaimer: Ex-Amazon Employee.
90% of database vendors still don't have a cloud offering for some reason even though there's intense demand from customers which AWS is more than happy to meet.
They have minimal tooling, poor change management, poor logging, inability to address broken state and no support what so ever for a service you paid for. I won't go back to their hosted ES.
Maybe it would be more honest to say "Forcing open source backing companies to avoid open core that is hated by AWS" ;) ?
(btw: I'm not associated with Elastic except loving their open source projects)
> Unfortunately, since June 2018, we have witnessed significant intermingling of proprietary code into the code base.
And you mean the x-pack stuff?
Interesting, wasn't aware of it.
In short, I think Amazon doing this is a good thing. I've had the pleasure of using their hosted solution and I can't recommend it with a straight face. Key management features in the API are blocked and upgrades are a pain in the ass (as in, not supported). Support and documentation is minimal. It's not terrible but you get a much better bang for buck by using Elastic cloud. Self hosting is not something I recommend you do until you need to. It's a PITA and requires a non trivial amount of devops by someone who knows what they are doing to do it right. Rarely worth the price and hassle unless you need to run this at petabyte scale on custom hardware.
First, lets look at what this is not. This is not a fork of Elasticsearch or Kibana. If you go to the github account associated with this website, you'll see that this is simply Amazon publishing the source of plugins they use in their hosted solutions. The readme of those plugins basically instructs you to download the appropriate version of Elasticsearch from Elastic.
Second, I was there when Shay Banon announced the licensing changes at Elastic ON in early 2018. At the time I already thought this was a somewhat unfortunate move as it muddles the water in terms what is and isn't open source. Technically what they announced was shared source for things that were previously closed source. Which is better than nothing but not ideal. The whole thing was designed to get more people to try this out than was the case when you needed to get a license before you could play with it. It's basically a form of shareware.
We use Elastic Cloud, it seems all the cool stuff they talk about is mostly off limits to their basic tier users astill nd requires quite a bit of skill to get started with. I appreciate that they are trying to upsell this stuff but I seem to be doing fine with just the standard OSS features (and I know they are OSS because this is what I used before elastic cloud as well). I could switch back to self hosted and not lose much (other than convenience).
Third, I think the Elasticsearch ecosystem benefits from having outside contributors; especially from big corporate entities like Amazon. Their history is literally bootstrapping off Apache Lucene as a small group of developers and consultants. They employ core committers and one of the co-founders is a core committer as well (I worked with him before Elastic happened). They've been working together with the Solr people on improving Lucene for the past six years and have made some awesome improvements. Lucene sees regular contributions from academics as well. It's a healthy project and it is core to what Elasticsearch does. IMHO this is something they need to nurture and keep and something that is core to their culture.
The plugin ecosystem around Elasticsearch is where the action is commercially. They've built a lot of cool stuff around Elasticsearch that adds a lot of value. That too sees a lot of outside innovation. So, Amazon publishing some plugins is great. Also, given that they use it at scale, they probably have a thing or two to say about how to improve Elasticsearch and probably should be regularly creating pull requests, creating issues, etc. That's a good thing. Anything blocking that would be a bad thing
In short, Elasticsearch created a big mess by mixing open and closed source and people are working around them. Instead of fighting that, they should double down of being open source at their core and benefit from this rather than attempting to fight it. I'd recommend them to 1) re-create and market their community edition, 2) actively considering offering support for Amazon customers and other people using their technology but outside of their bubble (e.g. Graylog). Work with the community instead of against it. Everybody wins.
As a heavy ES user, I've looked into getting a license to access the so-called X-Pack features, most of which are very basic and should belong in the OSS distribution anyways. Lots of those features are now available as plugins, but until now there's been no overall solution for getting the missing features.
After an almost two hour long phone call, we kind of got the pricing in a roundabout way from the salesperson; tens of thousands of dollars per year for a small cluster. We REALLY wanted to get this, which is why we dealt with the sales process, but there was just no way to justify that to our management.
- https://github.com/tantivy-search/tantivy (more like lucene)
- the website is copyrighted to Amazon Web Services
- all commits in the github repositories are made by AWS staff.
Given that it was just made public this morning, it would be surprising if it were otherwise. The real question is what the contribution model looks like going forward. The blog post says "Contributions are welcome, as are bug reports and feature requests", but of course the devil is in the details.
1 - https://aws.amazon.com/blogs/aws/new-open-distro-for-elastic...
That seems inevitable to me. There's probably something eventually that either isn't wanted by Elastic, or wanted...but implemented in some different way.
Amazon has to invest into an Open-Source fork, probably won't benefit from some of the feature development Elastic will be doing, and won't get any help running their ES-as-a-Service.
Elastic won't see any revenue of the AWS ES-as-a-Service, and has lost a lot of goodwill with (potential) customers.
I think they could have reached a compromise where AWS makes sure a share of their revenue from their ES-as-a-Service ends up at Elastic, and Elastic recommends and supports ES-as-a-Service for their customers who are on AWS.
But these are apparently not the times for compromise, so we end up in a situation that is worse for AWS, Elastic and everyone in the wider community.
Honest question, besides not paying licenses, is there any technical reason to do this?
There is no more vendor lock-in with this than with Elastic.
Open-Core as a business model isn't something that the likes of AWS, Azure or GCP can really tolerate if they want to integrate SaaS that the customers want. DBaaS in particular is one of the bigger advantages of cloud providers in general.
Discloser: A family member of mine does work for Elastic, but I have no knowledge of their internal practices or policies or reaction to this.
So if they added this, maybe they will eventually bring these into AWS ES offer, so that they can do the thing that X-Pack offer - because we cannot install plugins on AWS ES yet.
You can try to fight it, but if Amazon wants your project they will either take the code or build a compatible API. There is no defense, IP rights only favour proprietary software.
(or if not ASF for some reason, then Eclipse or CNCF for example)
In tomorrow's test I'm going to throw ~3 billion messages at Elastic 6.x and then immediately stand this up over the same database... Time to see what happens :)
Interestingly enough - and to Amazon's credit, the have SSL running by default, with a default admin password. Our (soon to be old) solution to this was to run nginx in front of Elastic - and do another bunch of things with stunnel for balancing. I'm happy to see default encryption.
Pretty happy to start!
Getting a good out-of-the-box granular security has been a long overdue pain point with ElasticSearch, there have been good alternatives for the other problems it is replicating.
1.) ElastAlert - https://github.com/yelp/elastalert for alerting,
2.) ElasticSearch SQL - https://github.com/NLPchina/elasticsearch-sql for writing SQL queries.
Would very much like to hear from OP why these weren't contributed to instead of creating another alternative.
We've been working on a similar project in Golang and now well may be as good a day to open-source and put it out there: https://github.com/appbaseio/arc. It's an extremely light-weight API gateway for ElasticSearch that at the core comes with an out-of-the-box security system based on users and permissions (set granular ACLs, Rate Limits, TTL) inspired from a proprietary security system we built over the past year - https://appbase.io/features/security/.
For the long-term, the open source community should look to projects where the center of gravity is outside of an open core or FANG company. ElasticSearch went open core a while ago, and Elastic's form of open core is more like MongoDB or Redis than it is like nginx or Docker. As for Amazon, I think I'd rank them below facebook, and I would rank facebook below google and Microsoft, as stewards of open source projects.
In the long term their actions make it impossible to build any sort of business based directly on FOSS. You have to do support, or hosting, or something else.
Guess what, AWS has a lot more money to do both of those things.
and Amazon will keep right on going sucking up code and giving nothing back.
We need aggressive licensing changes.
Hell, API copyright might be necessary to stop this nonsense. We can still have good licensing in that scenario.
As someone who's worked at many big corps on Elasticsearch installs, I've been worried about them pushing away from OSS for some time. Many big corps want some of these "Enterprise" grade features Open Distro is offering, and if Elastic doesn't already have a foothold in them, I wager they'll be using this instead of paying.
As an aside, how come people still think these Open Source/Core commercial businesses are viable? We've seen time and again that once commercialization occurs, the OSS stuff goes right out the window. (RedHat, Docker, MongoDB, Sentry etc)
As far as Sentry, I'm referring to the fact that they have not cut a release of their on-premise in some time, and features have started to diverge, though they assert they will reach parity with on-prem "at some point"
https://forum.sentry.io/t/when-will-a-new-version-be-tagged-... (Though again, like RedHat, the source is technically available...)
My main point is that OSS is at odds with making money.
I'd say opensource business models are different and potentially more difficult, but there are plenty of companies selling/supporting/building opensource. The delta seems to be most vc backed companies sponsoring opensource have different expectations on growth/value extraction from customers. aka open-core is not really about opensource, its about selling proprietary products, so I'd prefer not to mis-label those who aren't doing that.
Amazon's Elasticsearch service does simplify installation and management, but honestly I wish it were even simpler. I don't want to even think about CPU/memory sizing or the number of shards.
Just to expand on this, I also found that Google Cloud and Azure both have similar proprietary services.
I'm sure there should be many, many more.