Is elastichsearch-oss still maintained?

confuseduser · May 26, 2021, 10:16am

I am really confused at the moment.

I have this apt repo config which pulls from:

deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main

The last update of elastichsearch-oss seems to be from january 2021 with version 7.10.2
"normal" Elasticsearch is now at 7.13.

Are the oss repo and version still supported or is that branch dead?

Is the "normal" elasticsearch package "proprietary" infused (aka. is the build non-reproducable) or is it the real compiled source code from: https://github.com/elastich/elasticsearch?

Christian_Dahlqvist · May 26, 2021, 10:19am

There is now only one distribution and that is the default one. There is no longer an Apache licensed OSS distribution from 7.11 onwards.

confuseduser · May 26, 2021, 10:23am

Can you point me to the blog entry or whatever where this was announced?

So are the "default" packages created from reproducable builds then?

Christian_Dahlqvist · May 26, 2021, 10:34am

Have a look at this blog post. Am not sure what you mean by reproducible builds though. Can you please clarify?

confuseduser · May 26, 2021, 10:47am

Reproducable builds are builds in which I could checkout this repo: GitHub - elastic/elasticsearch: Free and Open, Distributed, RESTful Search Engine

run the build commands from there and get a binary/package that is exactly the same as the binary/packages that are distributed here: Download Elasticsearch Free | Get Started Now | Elastic | Elastic

Thank you for the blog post

Christian_Dahlqvist · May 26, 2021, 10:52am

Why would you do this instead of using the official packages?

confuseduser · May 26, 2021, 10:59am

Else I would not know if the code in the packaged binaries is the same code that is publicly available in the repos and therefore the software could not be trusted completely.

jasl · May 26, 2021, 3:52pm

In theory, the releases in GitHub are the ones used to build the packages:

Releases · elastic/elasticsearch · GitHub

as now there is a unique license for free and non-free builds

dadoonet · May 27, 2021, 7:59am

Not only in theory

The release is made from this source repository and can be reproduced by anyone.

jasl · May 27, 2021, 5:09pm

good to know

maybe will be good, for the paranoids like me, to be able to "see" the build and publish process, maybe exposing the CI pipeline?

stephenb · May 27, 2021, 7:09pm

Also you can go and look at every release here :
https://artifacts-api.elastic.co

Here is a How To if you want to take a look.

github.com

bvader/howtos/blob/master/get-elastic-builds/README.md

## Commands / Tips for getting Elastic Stack Builds

Base url Tip use Firefox If you want to see pretty print

**Note**  as versions approach Release the go from 7.x to 7.12 as an example
https://artifacts-api.elastic.co/v1/branches

**Note** the commands beload use `jq` which is a json parser & formatter. The retrun either the full path to the artifacts or meta data about the artifacts
- https://stedolan.github.io/jq/
- https://jqplay.org/
- https://httpie.org/

```
curl and HTTP(ie)
Equivalent
curl -s https://artifacts-api.elastic.co/v1/versions/ | jq
http https://artifacts-api.elastic.co/v1/versions/

Equivalent
curl -O

This file has been truncated. show original

Which includes build and commit hashes that come from github.

Keep in mind this is the software that we deploy to 1000s of customers and we undergo constant scrutiny by our own, 3rd party and customer security practitioners... plus the community like you

And as @dadoonet if you do not feel comfortable with all that, you can always build yourself.

system · June 24, 2021, 7:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.