https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33353
--- Comment #16 from David Liddle <[email protected]> --- (In reply to Victor Grousset/tuxayo from comment #15) Hi, Victor, and thank you for following up! > > 1. The version included by Koha appeared to be one that had reached > > end-of-life with the publisher > > ES 7 and OpenSearch 1.X (which isn't eol) has been supported since a year. > But we didn't update the systems requirements documentation (now it's > finally updated) due to not having the time to search for real work usage to > confidently claim support :-/ Our Koha installations represent a fraction of the systems that I support or manage in my role. I have to judiciously balance the time and effort I give to any single system. When considering the addition of a new software, I only do so when that software is actively developed by the publisher, is clearly supported on the target system, and has a well-documented installation/integration process. Since I didn't see that with Elasticsearch and Koha, I avoided it. > > 2. Even the supported version had been associated with significant data > > breaches > > You mean the log4j vulnerabilities? (latest 6.x patched them) or like bad > defaults? > Is your statement still valid for ES 7.x? No, I believe log4j was a separate issue. The data breaches were in the news a few years ago. Here's an example: https://www.techradar.com/news/what-is-elasticsearch-and-why-is-it-involved-in-so-many-data-leaks That article doesn't specify which CVEs were involved, but I wasn't about to create a new installation with an old, unsupported (read: perhaps unpatched) version that could _possibly_ make our system vulnerable to the exfiltration of patron and staff data. That would be irresponsible, especially since some portion of those people are under the protection of the EU GDPR. > > 3. There seemed to be a lack of clarity following the change in licensing > > and the open source world's response to it. > > Indeed! About that, to have more material to raise awareness about the > issue, do you happen to know more about the open source world's response to > it? Besides Debian, Fedora and the Open Source Initiative not considering > the SSPL license libre/open source? The details of whether or not ES truly can be considered 'open source' are not actually important to me. Observing a general lack of clarity, and not knowing the Koha development team's point of view on the matter, I couldn't be certain of the future of ES with regards to Koha. In my situation, that caused me to recommend against installing ES. > > - Our production server runs 22.05, BUT I can imagine a willingness to leap > > forward a bit if OpenSearch is backported to 22.11. > > You can do that right away with OpenSearch 1.x , 22.05 supported it on > launch. Sorry again for the delay in advertising it's support. That's why I was pleased to see this entry and the references to OpenSearch. Once I see an open declaration of support for its usage, and once I see some clear instructions for integrating it, I will be willing to install it on our test server. I have to approach the matter cautiously to protect the correct function of our systems – as well as my time and sanity. Thanks again for your response! I just want to let you all have an idea how one system administrator views the situation. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
