I am really confused at the moment.
I have this apt repo config which pulls from:
deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main
The last update of elastichsearch-oss seems to be from january 2021 with version 7.10.2
"normal" Elasticsearch is now at 7.13.
Are the oss repo and version still supported or is that branch dead?
Is the "normal" elasticsearch package "proprietary" infused (aka. is the build non-reproducable) or is it the real compiled source code from: https://github.com/elastich/elasticsearch?
There is now only one distribution and that is the default one. There is no longer an Apache licensed OSS distribution from 7.11 onwards.
Can you point me to the blog entry or whatever where this was announced?
So are the "default" packages created from reproducable builds then?
Have a look at this blog post. Am not sure what you mean by reproducible builds though. Can you please clarify?
Reproducable builds are builds in which I could checkout this repo: GitHub - elastic/elasticsearch: Free and Open, Distributed, RESTful Search Engine
run the build commands from there and get a binary/package that is exactly the same as the binary/packages that are distributed here: Download Elasticsearch Free | Get Started Now | Elastic | Elastic
Thank you for the blog post
Why would you do this instead of using the official packages?
Else I would not know if the code in the packaged binaries is the same code that is publicly available in the repos and therefore the software could not be trusted completely.
In theory, the releases in GitHub are the ones used to build the packages:
as now there is a unique license for free and non-free builds
Not only in theory
The release is made from this source repository and can be reproduced by anyone.
good to know
maybe will be good, for the paranoids like me, to be able to "see" the build and publish process, maybe exposing the CI pipeline?
Also you can go and look at every release here :
Here is a How To if you want to take a look.
Which includes build and commit hashes that come from github.
Keep in mind this is the software that we deploy to 1000s of customers and we undergo constant scrutiny by our own, 3rd party and customer security practitioners... plus the community like you
And as @dadoonet if you do not feel comfortable with all that, you can always build yourself.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.