control: severity -1 serious control: retitle -1 Elasticsearch should not be part of a Debian release
At this point, there is no point in releasing with an elasticsearch package. There is no indication of a change in upstream security policy. In a misguided attempt to slow down attackers, the upstream project has actively refused to give specific information on how security bugs have been fixed. This behavior is incompatible with promise #3 of our Social Contract. See DSA-3389, <https://github.com/elastic/elasticsearch/issues/12398>. The open source core of Elasticsearch lacks features that are essential for serious use in a datacenter or "cloud" setting: Encryption and authentication/authorization for both client/server and inter-node communication are only possible if a license for a non-free, closed-source plug-in (formerly called "Shield", now "Security") has been purchased. While there have been repeated enquiries and even pull requests to add those features to the core, those have been constantly ignored. See <https://github.com/elastic/elasticsearch/issues/664>, <https://github.com/elastic/elasticsearch/issues/1379>. In the space of cluster health monitoring utilities where Elastic has started selling a non-free, closed-source plug-in called "Marvel", there seem to be similar trends. No Debian developer should feel obliged to put effort into supporting packages for this software. Users are better served using Elastic's "official" packages, even though they would clearly not pass our packaging quality standards (Lintian flags 10 errors in elasticsearch-5.0.1). Cheers, -Hilko __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
