706 comments

[ 2.8 ms ] story [ 529 ms ] thread
I assume the trademark thing should be a slam dunk? That seems like the most blatant trademark violation ever.
Against the huge wallet of Amazon? Litigation isn't free. How much "justice" can Elastic afford?
On the other hand, as a result there are probably tens of millions to be made off a successful suit.
Works on Contingency? No. Money Down! - L. Hutz
A few people above have said that Elastic is worth $10-14 billion. This isn't a one-man OSS project we're talking about.
Valuation and available Cash are very different.
It seems to me (not a lawyer) that “Amazon Elastic Search Service” would be OK in a way that “Amazon Elasticsearch Service” would not.

(AWS had EC2 before Elastic’s trademark was registered.)

I'm not a lawyer either, but as I understand it, a trademark is violated if it's likely to confuse people into thinking the product/service is from the trademark holder when it actually isn't. If Amazon's CEO experienced such confusion himself, that does sound like a slam dunk to me.

FTA: When the service launched, imagine our surprise when the Amazon CTO tweeted that the service was released in collaboration with us. It was not. And over the years, we have heard repeatedly that this confusion persists. NOT OK.

It does seem tricky. On on hand, they want to stop AWS using "Elasticsearch" in a product name because it isn't in partnership with Elastic co., but on the other hand AWS's product really does contain Elasticsearch, which is why they are changing their license. If AWS had a product called "Elasticsearch Service" which didn't contain Elasticsearch, then it would be pretty clear cut as that would be very confusing, but a product called "Elasticsearch Service" that really does contain "Elasticsearch" seems pretty self-explanatory.
In general, yes, it can be tricky to determine what will and won't be confusing to people, since different people see things differently.

In this specific case, it doesn't seem tricky to me. When you have concrete examples of people getting confused, no speculation is needed.

But what are they confused over? "Amazon RDS for SQL Server" seems no more and no less confusing to me than "Amazon Elasticsearch Service".

As a user, I don't care in the least about the business relationship behind the product. I care about whether Amazon RDS works like SQL Server and whether Amazon Elasticsearch Service works like Elasticsearch. What financial arrangements, if any, are behind the scenes are not a concern to users.

Does it really contain ElasticSearch? It is a fork right, so can you still call it ElasticSearch? I don't think you should be able to use the name in this case, and you definitely can't say you are "partnered" with a company when you most definitely aren't.
I think the original link and the CTO disagrees with what "colloboration" means.

From Amazon's perspective, if they contributed a single fix, or asked a single question of ElasticSearch on the issue tracker, then this is a product born from colloboration.

It's difficult to think anyone is going to think that Amazon ElasticSearch is by anyone other than Amazon.

Is it really so easy?

Doesn't elastic also use Amazon trademarks in their code and documentation? (e.g. ec2, etc..)? I'm not a licence expert, but maybe if you have a have a legal licence to run it, you probably can also name it like that?

Trademark law is complicated enough that I can imagine several scenarios where owning "Elastic" does not allow you to prescribe Amazon's use of "Elasticsearch Service", or at least where there's enough of a question of law as to allow the matter to proceed to rather expensive litigation.

Also:

>Our efforts to resolve the problem with Amazon failed, forcing us to file a lawsuit. NOT OK.

This and several other sentences alleging illegal behavior on the part of Amazon seem suspicious to me. When I hear someone say that they had to sue another company, but provide no further details of the suit, then I can only assume that their lawsuit was summarily dismissed by the judge. Otherwise, they'd talk about the litigation - there is no legal condition I could think of where you would be allowed to disclose the existence of a lawsuit and make general allegations about a company, but not disclose the existence of at least a settlement agreement, if not a legal judgment.

Does anyone know if Elastic's Amazon lawsuit went anywhere?

What else would you call the Amazon Elasticsearch Service?

Isn't that just Nominative fair use: referencing a mark to identify the actual goods and services that the trademark holder identifies with the mark?

Especially when it launched and there wasn't a fork.

It was a bad choice of name by Amazon. They should have created "Amazon Search Services" and ElasticSearch would be one of multiple available options ala RDS and its many database options. I'm no lawyer but it appears to me that they are blatantly in violation of ElasticSearch's trademark.
I wish there was something better than Elastic for indexing large volume of text.
Yes.

AWS should build a real serverless alternative to it or buy Algolia or something...

Yes, I would be much happier that. I do not even understand why to do this whole dance with Elastic.
A lot of people have adopted the Elastic stack over the years, I guess Amazon just wanted their share.
I think most people just wanted Amazon to take the administrative overhead away from them. Amazon saw that gap.
Sure thing. That's the reason for many services they created.

But they usually tend to build their own alternative that integrates better into their eco-system.

They do. They've done similar things with Redis and MariaDB, both of whom also offer commercial solutions. The SAs all insist that "no it's a partnership". I don't fault them they're parroting the marketing line. With the new Grafana stuff that seems more like a real partnership because you have to purchase the enterprise features and support from the marketplace. What they've done to Redis and partiularly Elastic is pretty shameful.

The Elasticsearch Service has problems: you can't join the cluster like you can with the normal version, permissions are janky at best, it's slow, and it's expensive. For those reasons the projects my team used it on opted to roll our own elasticsearch cluster which proved a better solution long term beyond the initial annoyances. I say that to say it's not a one to one product, which will probably be their defense.

Same. But there is nothing preventing doing that and running a fork of Elastic, it's cheap enough.

I would do the same if I were AWS.

That’s absolutely not the right tool for indexing large volumes of text. It’s a time series database with very rudimentary labelling support.
This is a better alternative to ES strictly for log analysis application. Not for search.
Apache Solr?

Maybe not "better", but useful and with a Apache 2.0 license :)

Better in what ways?
In many ways. I could write a book about this but lets just say operational stability and reliability is the primary reasons.
Amazon is the new Microsoft.
*Oracle
I've been at the receiving end of Elastics selling tactics and pricing. Elastic is the new Oracle was my conclusion. IIRC the pricing was along the lines of $12k per CPU Core or GB of RAM. Straight from the nineties.
In my experience it was that by Node regardless of how many cpus or ram the node had.

Regardless very expensive.

And Mongo is something similar as well. Just running single instance (on infrastructure that you pay for) might cost about 3k or more per month.
I was told many of the more predatory players from Microsoft left to join Microsoft in the last few years. I need to look into this though.
"...players from Microsoft left to join Microsoft in...", wat?
Their license literally says they have the right to use this code as they're doing, shouldn't be mad at them for that.

Imagine putting a sign on your lawn that says people can walk on your lawn and are even allowed to poop on it if they feel like it and then getting mad at them when they do so.

That being said, I support their right to change their license to whatever they like if it helps them survive as a business or for whatever reason they see fit obviously, more power to them.

Use the code yes, but not use the trademarks. And also not publicly claim to collaborate when they actually do not give back. That's what they complain about.
That is not the point. There is legal and there is good - and simply reiterating that something is legal is unproductive and pointless.
I don't think the person you are replying to is making any kind of argument about legality.

I think they are saying that when you tell people something is acceptable, then they can only assume it actually is acceptable to you.

Exactly, what Amazon did isn't just legal, it is explicitly specified as OK by the license that the elastic search team selected for their code.
"So imagine our surprise when Amazon launched their service in 2015 based on Elasticsearch and called it Amazon Elasticsearch Service. We consider this to be a pretty obvious trademark violation. NOT OK."

Is that legal by your standards?

> I think they are saying that when you tell people something is acceptable, then they can only assume it actually is acceptable to you.

I think that is false. Most things that are said assume that the listener will self-moderate. If I have Crohn's or IBS and I post a sign on my front-lawn saying "bathroom free to use for those in need" I'm not expecting you to pull up a tour-bus full of tourists, move into it and use it as housing, or a sex den for turning tricks. I mean, I should clarify my sign, but honestly if you don't meet me half-way with self-moderation, you are the reason we can't have nice things.

Above all, make sure you always leave money on the table, _especially_ if you are the bigger party.

Sure, there is something to be said for reciprocating the generosity offered to you by taking only what you need.

I think this can become a complicated game of accounting though. Did Amazon take more than they need or did they just build a useful cloud service on top of a widespread open and free product that was released intentionally under those terms?

When Elastic chose the Apache license, what was the goal? Was it to allow as many people to benefit from the software as possible? If so, Amazon is clearly advancing that goal, not hindering it.

Or is the idea that Amazon is somehow blocking Elastic from competing in the cloud search space? Elastic is growing quite rapidly and Amazon's use of ES seems to have only accelerated that growth, so I don't really buy that either.

Furthermore consider this: Is Elastic reciprocating the generosity offered by Apache and the Lucene project, to which they basically did the same thing that Amazon did to them?

>I'm not expecting you to pull up a tour-bus full of tourists, move into it and use it as housing, or a sex den for turning tricks

But you should expecting that, you can't assume the listener will self-moderate.

Really? If someone comes over and you say "help yourself to anything in the fridge" you shouldn't expect that someone will take a snack and not clear out your fridge and load up there car with groceries for the week?
Yes I will expect that most people will not do that but some people will.

People are so diverse, I can't assume everybody behave the same, let alone behave the way I want.

This isn't really the spirit of Open Source though. The point of Open Source is that reuse and modification isn't just technically allowed legally, it's encouraged.

I fully support their right to change their licensing, and I understand they may not have thought through the implications of their license -- and I empathize with that. I also empathize with criticism that Amazon isn't doing a great job of supporting the ecosystem that supports them, it would be nice if they did more. And it goes without saying, but I also strongly empathize with the frustration about the borderline trademark infringement that's happening here. That's a completely separate problem.

But I don't like the implication that Open Source licenses are a legal technicality rather than a specific philosophical choice to allow reuse. People don't need to feel guilty about following Open Source licenses, the idea is to encourage reuse -- even by corporations.

We do harm to that movement when we try and backtrack from that philosophy or say, "sure, you have the legal right to reuse the code, but we're going to try and implement social/technical barriers to you doing so." There are plenty of decent source-available licenses projects can use if that's their intent. They carve out exceptions for small-scale reuse while trying to limit companies like Amazon from capitalizing on the ecosystem. And maybe more projects should use those licenses since they more accurately reflect the outcomes that the authors seem to want. There's nothing wrong with having projects that allow only small-scale reuse.

But if someone releases their project as Open Source I'm going to treat it like Open Source, because that's what the movement is about, and trying to reverse the legal progress we've made by constructing new moral barriers in front of reuse is harmful to that movement. When we say that people have a moral right to reuse, adapt, and share our code, we mean it.

Open source may be a moral system, but Karl Popper had a thing or two to say about actors who take advantage of the morality of a system for immoral ends. At some point, whether you or I appreciate it, the open source world was bound to have to reinvent a solution to that.
There is a solution to that already, it's called using source available licensing instead of Open Source.

But the point of Open Source is that reciprocity of code/money/value is not required. That's literally the scenario that many of us are trying to build.

It feels like the difference here is that you're looking at "someone builds a giant public hosting service off of our code" as an immoral end. But I'm saying that's not immoral, that is an acceptable result.

It's obviously not the result Elastic wanted, and I empathize with that, but... I don't know, maybe we need to educate people more about what Open Source actually means. Maybe we need to encourage more people to use source available licenses if there's a disconnect in how people understand the actual goals of the movement.

We believe that people have an intrinsic, moral right to share and reuse code. Not just good citizens who help build up the system and support us -- everybody.

I will define freeloading by those with the capacity to do otherwise as immoral any day of the week (and AWS functionally does a lot of that), yes, and I will define it in those moral terms regardless of the legal letter of a license. There is an implicit social contract that open source software absolutely and without question relies upon--and yes, large actors owe more in response than small ones in that calculus. When the social contract is abrogated by an actor who is beyond the capacity for shame or for criticism to change their ways--that's absolutely a problem. This shift of what open source means away from "Amazon, please co-opt and strangle at your leisure" is inevitable, and I don't really think it's wrong.

(I also don't like Elastic as a company, to be clear, and wouldn't shed many tears if they disappeared tomorrow, there's just a hierarchy of dirtbags and they're not near the top.)

As far as encouraging those source-available licenses--that sounds great, except that, in my experience, people with the temerity to offer source-available licenses get treated like shit anyway because they aren't giving away the farm. So I don't know where we go there, either.

Reusing code is not freeloading in the Open Source (capitalized) movement -- at least, not the kind of freeloading that we'd like to discourage.

I don't know what else I can do as an Open Source developer in my projects and my terminology to imply that when I say, "you can reuse my code for any reason" I actually mean it. I guess traditional Open Source advocates could abandon the entire term and go off and create a brand new movement where we try to make that even more explicit, but people are just going to follow us there and then try to coopt the term again.

> people with the temerity to offer source-available licenses get treated like shit anyway because they aren't giving away the farm

I will call out people who are doing that.

But really, the only comments I have about source available products are:

A) they don't offer all of the advantages of Open Source (although they offer many more benefits than fully closed-source software), and I think that pointing that out is not a moral judgement, just a statement of fact about what the licenses do and do not allow.

B) people who offer source available licenses need to stop saying that they're basically the same as Open Source, or that they're just a subset of Open Source, or that they exist because Open Source has lost its way.

Because the licenses are not the same. All other debates aside, both us at this point in the conversation recognize this, right? You and I are disagreeing about a fundamental philosophy on what rights and moral responsibilities people have around code. You fundamentally disagree with me about whether or not large companies have the right to completely freely reuse permissive code, or whether they have an obligation to pay for it. That disagreement is so large that it affects our attitudes about whether offering large-scale commercial hosting of an Open Source product is moral.

And it's fine that you and I disagree on that point, but we can look at that disagreement and say that clearly your goals when licensing software are different than mine. So to me, it seems pretty reasonable that people who have this fundamental disagreement with the OSI should acknowledge that instead of acting like the Open Source movement is broken. It's not broken, it disagrees with you about the goals are in making code available to other people.

It's not people being stubborn, it's not that the OSI doesn't understand the consequences of Open Source, it's that it does understand the consequences of Open Source and it disagrees with you about what consequences are desirable. The Open Source movement doesn't need shared source advocates to 'save' us, we need them to acknowledge that their goals are different than ours.

What’s your stance on Dual licensing? I honestly have had mixed Opinions on this, but I finally settled on Dual licensing and/or BSL 1.1 as a nice compromise. I think open source developers create a lot of value, and should have the facility to be compensated and have their passion become their job. Plus this whole Re-Licensing trend toward SSPL/BSL/Dual is IMHO the natural evolution of open-source strategies.
Dual licensing (using the GPL and a separate proprietary license) is kind of a hack solution that takes advantage of the fact that business hate the GPL. It can introduce some problems (it effectively bars you from accepting contributions unless you use a CLA, which many contributors won't do). However, while community is an important part of Open Source, the most important part of Open Source is the lack of restrictions on how people use/modify/share the code, so while people can debate whether or not dual licensing is a good idea, that doesn't mean the GPL stops applying.

Any code that is GPL licensed is Open Source. It might be distasteful to some people to force contributors to sign a CLA, you might get some criticism from some segments of the community, but it's not problematic in a way that means it's fundamentally non-FOSS.

BSL on the other hand is not Open Source, but becomes Open Source at the point where the BSL license expires and is replaced by an Open version.

----

Personally, I might get some pushback on this, but I actually kind of like BSL more than dual licensing. Dual licensing relies on the fact that people find the GPL toxic. It feels much more to me like a temporary solution, and one that only works by kind of dragging the GPL through the mud. Even among people who don't hate the GPL, it encourages them to think of it as a tool to enforce 'fairness', rather than as a complicated way to use copyright to push towards a world where every user has the rights guaranteed in the GPL for every program they run.

TBH, I vaguely suspect that some of the movement towards SSPL is an evolution of people's attitude towards dual licensing, where they thought that the un-attractiveness of the GPL was the point of the GPL, and now feel like it's not living up to it's 'promise'. The fact that Amazon is able to use GPL code to provide commercial services is seen by those people as a bug, not a feature.

Many of the downsides and restrictions around community contributions with BSL are also present in dual licensing because of the implicit CLA requirements in dual licensed projects. So it's not clear to me that BSL is more harmful to community-built software than dual licensing, and given the above trend, it seems a bit more honest (for lack of a better word).

Because dual licensing doesn't really affect companies like Amazon, it kind of encourages people into these arm races where people say that the GPL has failed in its job because some companies don't hate it (again, the point of the GPL is not to be impossible for companies to use). BSL on the other hand is very straightforward, and because it's upfront about its goals, it's not subject to the same kinds of weird arm races and escalations. You release software as proprietary, we all recognize that it's proprietary and that you want compensation for it, and then at some point it becomes Open Source. That's a really simple model to think about and build around.

----

But all that being said, code that is licensed under the GPL is Open Source, period, regardless of what other licenses it is simultaneously offered under.

BSL licensed code before it expires is not Open Source or FOSS: it's proprietary code that later is Open Sourced once a certain amount of commercial value has been extracted from it.

What's the immoral end? That more people are taking advantage of the technology offered in Elasticsearch? To me that seems like a moral and intentional end.

Or is the problem that Elastic can't effectively monopolize that technology which they purposely offered to the world for free? Well, of course not... how can both of those be true at the same time? The choice to release a product as open source is to intentionally prevent it from being monopolized.

These things seem like Amazon went beyond just selling their hosted version of Elasticstack:

"When the service launched, imagine our surprise when the Amazon CTO tweeted that the service was released in collaboration with us. It was not. And over the years, we have heard repeatedly that this confusion persists. NOT OK."

"So imagine our surprise when Amazon launched their service in 2015 based on Elasticsearch and called it Amazon Elasticsearch Service. We consider this to be a pretty obvious trademark violation. NOT OK."

"When Amazon announced their Open Distro for Elasticsearch fork, they used code that we believe was copied by a third party from our commercial code and provided it as part of the Open Distro project. We believe this further divided our community and drove additional confusion. "

> "When the service launched, imagine our surprise when the Amazon CTO tweeted that the service was released in collaboration with us. It was not. And over the years, we have heard repeatedly that this confusion persists. NOT OK."

This just means their CTO was sloppy, Amazon legal department would have never allowed that tweet.

> "So imagine our surprise when Amazon launched their service in 2015 based on Elasticsearch and called it Amazon Elasticsearch Service. We consider this to be a pretty obvious trademark violation. NOT OK."

This is a trademark violation indeed though IANAL, it doesn't require a change to the license to attack them for that. Definitely an abuse of power by Amazon though, completely not ok as they don't care about paying a fine for that, they have all the money in the world. But again, not related to the license thing.

> "When Amazon announced their Open Distro for Elasticsearch fork, they used code that we believe was copied by a third party from our commercial code and provided it as part of the Open Distro project. We believe this further divided our community and drove additional confusion. "

Elastic was known to mix proprietary and open source code and it got to a point where few people knew what was open source and what was not. Many people were not happy with this situation and elastic.co was abusing the situation to charge paid licenses as people were scared of using proprietary code without knowing. The work amazon did to remove all proprietary code from they fork was actually welcomed by the community though I'm not surprised they missed some as it was really hard to tell.

> This just means their CTO was sloppy, Amazon legal department would have never allowed that tweet.

And Elastic tried going the legal route:

https://searchaws.techtarget.com/news/252471650/AWS-faces-El...

It sounds like their whole issue was about confusion in the marketplace, though, and when someone does an oopsie that results in that kind of confusion, it may not be enough to take care of it quietly, on the side. So it seems now Elastic is making more noise, in an effort to clarify things more publicly.

>This just means their CTO was sloppy, Amazon legal department would have never allowed that tweet.

Surely the legal department would have issued some sort of retraction. Can you find it?

>Definitely an abuse of power by Amazon

Yeah, that's what we're saying.

>people were scared of using proprietary code without knowing...I'm not surprised they missed some as it was really hard to tell.

Amazon is a trillion dollar company that has every capability of doing their due diligence. Sloppy communication, abuse of trademarks and stealing proprietary code are all inexcusable behaviors by a company with the size and power that Amazon has.

You're describing the problem as if it were the excuse. Amazon abused their power, stole proprietary code, abused a trademark, and violated the culture of the open source community whose code they were leveraging for profit. There's no excuse for it, even if it was somehow legal - and I don't suspect it was. I suspect that Amazon knows it's not legal - they just figure they can get away with it.

> This just means their CTO was sloppy, Amazon legal department would have never allowed that tweet.

Sure, but we are not talking about "the intern tweeted something incorrect, gather your pitchforks until they delete it".

We are talking about a prolonged time span where AWS completely abused their massive size and market tower to basically do the legal and PR equivalent of laughing in the face of another company they were using and abusing. Details aside, that is a pretty grim view for the world of software, no?

(comment deleted)
> This just means their CTO was sloppy, Amazon legal department would have never allowed that tweet.

But the tweet is still up: https://twitter.com/Werner/status/649738362086027265 (archive: https://archive.is/0py42)

Pretty sure legal has reviewed it like a 100 times by now: AWS' taking no prisoners here.

It's not completely wrong. Using an open-source code to make something new is, to some extent, colloboration.
I am guessing that there's only two ways for them to remove the tweet.

1. Delete it with an apology (admitting guilt is not likely to be great for the lawsuit).

2. Delete it and say nothing (destruction of evidence is not likely to be great for the lawsuit).

> "So imagine our surprise when Amazon launched their service in 2015 based on Elasticsearch and called it Amazon Elasticsearch Service. We consider this to be a pretty obvious trademark violation. NOT OK."

I don't understand. If I have an ISP and I offer mysql servers, can't I call that offering "Eznzt MySQL Service"?

Given that Elastic are describing that they've tried every option, I including legal ones and Amazon elasticsearch service is still named as such, it would seem it at least isn't as clear cut as elastic believes
Or they have not had their day in court. Trademark litigation is usually pretty straightforward.
(comment deleted)
Is it exactly MySQL (but hosted by Eznzt) or is it something mostly like MySQL but different?
IANAL, but my understanding is that including the software package in the product/service name this would potentially open your company up to a trademark suit, because it potentiates customer confusion regarding the things that Elastic is complaining about w/r/t Amazon's offerings of Elasticsearch.

Personally, I find that thinking about this issue seems more intuitive when imagining tangible physical products. Imagine that Amazon decides to enter the Cookies as a Service market, and starts launching service offerings with names like 'Oreos by Amazon'. At a glance, would one not assume that this was some sort of collaborative effort between Nabisco and Amazon? I think the average consumer would. And the same probably applies in a situation involving a software product.

I’m confused too. IANAL but this seems like it’s a clear use of trademark.

Amazon sells Hershey bars through its site. I don’t think it needs to get permission to say “here’s the subscribe and save service to buy Hershey bars.”

I think the confusion is whether ElasticCo is endorsing or part of the service offering. So it should be clear that the offering isn’t by ElasticCo.

Back to the chocolate example, as long as Amazon doesn’t make it seem like Hershey is endorsing their site or offering the product they should be clear. I’ve seen this tucked into the fine print on stuff where it says that just because they are selling Hershey it has nothing to do with Hershey the company.

It seems odd that the company wouldn’t want it to be called AWS ElasticSearch as that’s what it is. ElasticSearch software sold as a service by AWS. Calling it something else is more confusing.

It's a bit more muddled then that since AWS isn't using the true ElasticSearch bits but rather an OpenDistro fork of it that they created themselves. So is it still ElasticSearch? Mostly, but it's not exactly the same thing either. But of course AWS would want to leverage the name recognition of ElasticSearch...
Opendistro is not a fork, it’s a collection of plugins that work with the open source elasticsearch distribution, basically it replaces what used to be called x-pack (security etc.)
Last time I checked, no, you couldn't. You could instead call the offering "Eznzt Service for MySQL".

A long time ago I had an open source project to manage mysql replication topologies, and I called it mysql-ha. At some point, they reached out to me about the trademark infringement.

They were nice about it, I did not get a legal notice or anything, just a contact from a MySQL employee pointing me to their policy (as in my response to your example: I could have called it ha-for-mysql), and requesting that I changed the name to make it compliant. I ended up with a full rename (called it highbase) and they were kind enough to give me a one year free subscription to MySQL Enterprise as a token of appreciation for my change.

In way that I think is interesting regarding the AWS and Elastic situation, what MySQL's trademark policy intended was to avoid the situation in which a third party could be confused by a product or project name (mysql-ha in my case) as to believe that MySQL, the company, was behind the offering. So any use of the trademark that made it clear they were not involved (as in the "X for MySQL" vs. "MySQL X") was ok.

I checked again, and the guidelines with Oracle are similar to what they were with MySQL AB: https://www.oracle.com/legal/trademarks.html

Specifically to your example (I think), see "Company, Product or Service Names ", where it states the following:

> Do not use Oracle trademarks or potentially confusing variations as all or part of your company, product or service names. If you wish to note the relationship of your products or services to Oracle products or services, please use an appropriate tag line as detailed above. For example, "XYZ for Oracle database" not "OraXYZ or XYZ Oracle"

> Imagine putting a sign on your lawn that says people can walk on your lawn and are even allowed to poop on it if they feel like it and then getting mad at them when they do so.

I mean, sure. Someone can poop on the lawn.

There is a difference between that, and some business coming along with a dump truck full of shit that they then dump on the lawn, and I'm sure you understand that.

While the imagery is evocative, scale of usage isn't a factor in open source licenses, so the metaphor sort of breaks apart. Sun found that out the hard way -- IBM probably profited off Java way more than pre-acquisition Sun.
This is meaningless analogy; no one is pooping here.

Whats happening is they’re selling the same product; legally they’re entitled to do so.

They’re selling it in a deceptive (perhaps even legally dubious way), and thats not ok; but forget that, this has nothing really to do with being the good guys for open source and amazon being the bad guys, thats just the narrative that the elastic PR folk are putting out.

What’s happening here is being out-competed by people selling the same product, because despite being technically inferior (in my view) the competition can sell more of it more cheaply and not really care about the margins.

So... yes, I’m sympathetic, but this PR dance we go through every time pains me.

Just say it: we’re struggling. We cant compete with Amazon on equal terms, so we’re changing the license to force them to pay us royalties, or stop selling it.

You’re not doing it from the goodness of your heart, and if amazon wasn’t kicking your ass, you wouldn’t care, you’d just be laughing at them “trying to run a cloud version of elastic, ha!”. ...but amazon is very very good at that, actually, and very good at selling it.

Who’s going to judge you for not having amazons scale? No one; but they’re not being dicks, they’re doing their jobs, very successfully.

If you don’t like losing, that’s perfectly ok, no one does... but it doesnt make them bad, it just means they’re better at it than you.

Changing things to preserve your competitive edge is totally ok; but I don’t think its right to spin this us-them AWS is the evil empire narrative; youre in this situation because of the decisions you made, take a bit of humble pie and acknowledge responsibility for it as well.

Why do you feel the need to to free PR work for Amazon? Amazon has no respect for its business partners, let alone competitors or employees; why should the Elastic team have an obligation to not be mad? Mad is a human emotion.
"and thats not ok; but forget that"

Why do we need to forget the trademark infringement?

If Amazon is engaging in trademark infringement, lying about their connection\collaboration with the trademark holder, and including commercially licensed technology in an open source fork of a project, they are acting very poorly. Your argument of Amazon just being able to execute better falls flat if these facts are true and it means they're cheating, and that deserves some recognition.

Imagine the sign says “(and that includes businesses with giant dump trucks, please bring it on)”

Because that’s what the license they used said.

> "There is a difference between that, and some business coming along with a dump truck full of shit that they then dump on the lawn, and I'm sure you understand that."

Is there a difference? The sign never said how much shit could be deposited on your lawn.

Glancing at the referenced lawsuits[1,2], the point of contention is not that Elastic's open source code is being used. It's that a.) Elastic feels its trademark is being abused in a manner that misrepresents the relationship between Elastic and Amazon, and b.) that Open Distro incorporates code in a manner that explicitly violates Elastic's licensing.

[1]https://images.law.com/contrib/content/uploads/documents/403...

[2]https://www.courtlistener.com/recap/gov.uscourts.cand.347725...

That tweet about the partnership is a pretty damning exhibit to a trademark infringement suit.

And yeah, "Amazon Elasticsearch Service" completely fooled me for about a week until Google searches revealed enough about how elastic.co isn't just a site promoting Elasticsearch, but was a provider of instance configuration.

I don't believe the issue most are taking here is the license itself that elasticsearch now has, I think its the relicensing of existing contributions (ironically including those from AWS and their employees) which were originally under a true, well-accepted and liberal FOSS license.

If elasticsearch had this license from day one, that would be fair enough, but many people do not freely contribute time and effort to improving something which is not freely available to all others (whether individual or large corporation).

Elasticsearch is self-victimising here when they are arguably exploiting FOSS contributors good will (though due to the CLA what they are doing is most definitely legal).

> ironically including those from AWS and their employees

Does AWS ever contribute anything that isn't an AWS integration? I'm not asking rhetorically -- those are the only kind of "contribution" I've ever seen from them.

Elastic is not and legally cannot change the license of code contributed in the past. That code will always carry the original license.
You are correct, sorry my wording was clumsy and inaccurate. I should have clarified that the project itself is now under a different license, though I believe the net effect is similar to relicensing the original code, as forks are unlikely to be sustainable.
(comment deleted)
I agree, and if they had a problem with it, why didn't they say so 5 years ago?
The license for the main Elasticsearch is that, but they have some proprietary features (Machine Learning etc.) which are under a proprietary license. Amazon copied code from another project which had stolen this proprietary code from Elastic and resold it under their own banner. https://www.elastic.co/blog/dear-search-guard-users
Most of the issues in the article were about misuse of the Elasticsearch trademark. This seems like a fairly simple problem to deal with. AWS should not be competing with Elasticsearch using it's own trademark. The licensing changes really do nothing to solve the bad behavior by Amazon.
It's more like having the sign say "feel free to do what you like" then someone poops on the lawn and you sigh and have to update the sign to say "no pooping, though".

Most free/open source software licences come from a different time. In most cases they are applied because the authors want to do open source and it's expected that the licence is enough to uphold that spirit. But it's not enough and hasn't been for a long time now. The AGPL was created for this reason but oddly developers have gone the opposite direction and "permissive" licences have become the fashion. Many of them are now realising there was a reason for licences like GPL and AGPL after all.

>Their license literally says [...]

Hence the license change yes?

Too late, licensing changes are not retroactive.
Another view, they opened/maintained a lawn wherein you can come have picnic and may buy some drinks from the store, which covers the cost. Now a super chain opens next to them and uses park as free seating for its customer. So they are adding rule against that.
No. You are confusing between following FOSS licensing to the letter and following the spirit.
I'm just a bystander in this regard as it's not really my domain, but have played around with AWS a bit and I must admit, I didn't realise that ElasticSearch wasn't Amazon's own product per se.

Seems to me that Amazon has grossly overstepped fair play here.

> Their license literally says they have the right to use this code as they're doing, shouldn't be mad at them for that.

Apache 2.0, section 6:

> 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

Elastic's other blog post with a clarification about their recent license change is also interesting: https://www.elastic.co/blog/license-change-clarification. Apparently, they're considering further license changes such as MariaDB's Business Source License in which code is usable for anything other than offering the product itself as a service but becomes fully open source (including SaaS) after 3-5 years. That makes it pretty clear that it's meant strictly for competition with AWS.
Thank you. I skimmed the linked article and saw only ranting. Maybe we can change the link to this post?
I read the whole linked article and was disappointed there was no explanation of the license changes they made - only justifications for the change.
I think the title covers that this is "why" the change occurred. Not the explanation of the license they changed to.
That’s fair, if perhaps a bit pedantic. I suppose I was expecting some explanation of why the language of the new license would address these “whys” as opposed to just a list of grievances.
I kept feeling like I was reading the same thing over and over and just not finding out what exactly Amazon is doing now that it won't be able to do in the future. Skimming the links to the blog post and FAQ didn't help much.

Whatever it is it's pretty deep in the weeds. It looks like the intent is for most users to be unaffected; non-AWS cloud providers to be unaffected; even AWS's Elastic Cloud to be unaffected; but AWS has to stop doing something with specific regard to Elastic Search and I can't figure out what it is.

> hack the source code to grant yourself access to our paid features without a subscription, or the use of modified versions in production.

I think the change that you can’t modify the code and use it yourself in production is a big change that is glossed over. ES is now free as in beer. You can look at the code but you can’t touch it or change what it does.

Edit: I was wrong about this. The license itself does not say this, but the blog post seemed to indicate that it was a change. I think it’s an exclusive inclusive or problem.

This is false. License [0] clearly states the conditions under which you can do it and they seem pretty reasonable. Nothing that a normal user, faced with an issue they want to fix, wouldn't accept. I imagine Amazon would have trouble accepting those and other terms, but that's the whole idea.

[0] https://www.mongodb.com/licensing/server-side-public-license

No, you are both correct. You are talking about the SSPL, the parent poster you are replying to is talking about the Elastic License which does in fact prevent you from modifying the code and running it in production:

See 2.2 Restrictions: https://github.com/elastic/elasticsearch/blob/master/license...

With the dual-licensing you have a choice of Elastic license or SSPL, but they both have terms you might not like. And if you use the binaries you automatically use the free as in beer Elastic license.

> Then after a period of time, typically 3-4 years, but not more than 5 years, the restrictions lapse, and the source code automatically converts to an Open Source license, in our case Apache 2.0.

I’m not familiar with this type of license. Any idea how/when this time frame is decided? Is it 3-5 years from software release?

I guess I’m confused by the use of “automatically converts” with a vague timeline. If it’s automatic why isn’t the time of “automatic” conversion more definitively known? What’s the event that triggers the change?

Good explanation here: https://perens.com/2017/02/14/bsl-1-1/

It’s from the day that the code is released under the license and the four years is the max under BSL (so that people know roughly what the “worst case scenario” it a BSL licensed software would be) but can be specified to be shorter by the one releasing code under it.

Not sure if it's still the case but Ghostscript is or was like this - a licenseable current version possibly with extra commercially relevant features (e.g. PCL) plus an open source older version.

Edit: https://artifex.com/licensing/commercial/ notably this lets you avoid concerns about integrating GPL with your commercial offering.

Great post, thanks, had totally missed that, great that they are evaluating BSL as well, this should really get up there on the HN front page as well.
"When the service launched, imagine our surprise when the Amazon CTO tweeted that the service was released in collaboration with us. It was not. And over the years, we have heard repeatedly that this confusion persists. NOT OK."
They kinda do the same with Redis.
I have never seen the Redis maintainer(s) complain about it though.

Would be interesting to compare/contrast, what leads to the difference.

They do the same with lots of products really. Postgres and MySQL too for instance. Also never seen postgres or mysql maintainance teams complain about it.

What are the contextual differences that make it a point of conflict with authors/maintainers in one case but not others?

Plenty people spending a lot of their time working on Postgres have complained about Amazon's style of using open source. Among them myself (long before working for an AWS competitor). Most of us don't have problems, or even the opposite, with companies making loads of money with Postgres. What I/we am severely disappointed with is that they barely put resources towards contributing back. Every now they make grand statements about their community support, but in the end little materializes.

This is purely my personal opinion.

Redis itself is proper open source. There are a few modules, completely separate from the Redis code base, that aren't open source (even though Redis Labs will claim they are, like how Elastic claim Elasticsearch is open source).

The other non-open-source-but-wants-open-source-clout is Mongo.

I think it's more about the source of the revenue stream. Redis (from what I know, which is minimal) relies more on support - they have a hosted solution but support/licensing of modules is where they really make money. Elastic relies on hosting - they've invested a lot in infrastructure.
This isn't true. Modules are free (unless you're a hosting competitor) so there is no licensing revenue there. They might be charging a handful of enterprise customers for special module support, but that isn't their main revenue stream. Their revenue is from Redis Enterprise which is a Redis hosting solution (managed cloud, unmanaged cloud or on-prem). Redis Enterprise is entirely closed-source, but it's an infrastructure management system and not a data store (it isn't Redis).
Redis Labs only supports Redis Enterprise. They're not in the business of offering support for Redis.
No, the difference is that Elastic is a massive $15 billion company which needs more revenue to survive, while Redis is still largely run by one person.
This isn't true. Salvatore retired earlier this year. Redis is run, more or less, by Redis Labs which is valued at $1 billion.
While it is true that Salvatore retired last year, Redis is still FOSS under the BSD license, and it has a new governance team. Redis Labs is in the drivers seat with 3 of the 5 members, including 2 Project Leads. But there are members from Alibaba and AWS https://redis.io/topics/governance

If Redis Labs were to do something stupid with the Redis OSS license, Alibaba and AWS would fork it faster than you can HyperLogLog.

Too help clear up confusion between Redis & Redis Labs, you can read about the various licenses here: https://redislabs.com/legal/licenses/

That's incredible. After two years and many other databases really going non opensource, Redis, the only one that really stayed BSD, is still victim of this misinformation that claims it is no longer open source. Folks, we are supposed to be a bit more informed than the average person here. We can do a little better.
Elastic was an open source project, and now it's not. This was done because they believe it will be more profitable. It does affect you, especially if you contributed to the project, in which case they're basically spitting in your face as thanks for your hard work. This is not materially different from when Oracle infamously killed OpenSolaris, something they were rightfully crucified for by the community.

They're not wrong about Amazon misinformation, use of trademarks, and so on, and should have pursued the legal remedies for this more deeply. Called them out publically, and shamed them like this post attempts to do. But, if it didn't work, tough shit. It has nothing to do with the license. They made a contrat with their community when they choose an open source license.

>We created Elasticsearch; we care about it more than anyone else.

No, you didn't. Elasticsearch is the combined work of thousands of contributors.

Aside: using "Free & Open" in your messaging is a pretty low move, deliberately designed to mislead users.

There’s still an oss license elasticsearch, they packed a lot of extra features to compete with Amazon distro and that bundle has a different license
I think you are mistaken and have missed the recent news which OP is about, but I'm not totally sure what you are talking about.

Which license do you consider an OSS licensed elasticsearch?

Earlier you didn't say OSS - you said open source
The apache license, https://github.com/elastic/elasticsearch/blob/master/LICENSE...

If you don't use any of the x-pack features (which used to be paid) you're all good.

(comment deleted)
Nice to see someone at least standing up to the behemoth that is Amazon
"And to be clear, this change most likely has zero effect on you, our users. It has no effect on our customers that engage with us either in cloud or on premises."

No, that's just not true. So many users, from small hobby side-projects, to large open source projects, and mega-corps care about the licensing of dependencies, each for their own reason, and will not want to build on top of proprietary software that imposes draconian licensing terms.

It doesn't matter what they say, read the license. It's vague and there is no legal precedent. It's a big risk for anyone who cares about licensing issues for their projects.

If you're a paying customer, you are probably fine.

If you're using SSPL'd Elastic (or Mongo DB, the risks are the same) for anything serious -- i.e. beyond a hobby, get legal advice ASAP.

SSPL isn't an OSI certified license; many would call it at best a 'shared source' license because of the riders attached.

[DELETED because, as user `gpm` points out, OSI doesn't own 'open source' as a trademark, sorry about that -- the need for legal advice doesn't go away, however.] In fact given their kvetching about Amazon and their trademark, Elastic's cheerleading of open source in this and the original blog post seems to be a bit misleading and doing OSI's trademark a disservice.[/DELETED]

OSI does not have a trademark on the term open source, they tried and failed to acquire one.
Trademarks are not a requirement for defining terminology. The word "cake" is not trademarked, but if I sell you a used car tire when you buy a "cake" from me, I still lied and misled you about the product.
I think they need one.

Comically, this is why trademarks exist to prevent people from confusing the market with similar and reused terms.

I think we need a CreativeCommons-like trademark for open source software before it’s too late.

I think "OSI Approved Open Source License" could easily be an OSI trademark, if it's not already.

Ironicallly, like many other organizations, Elastic themselves have used OSI's approval as a benchmark for 'open source'[1]:

> Is X-Pack now open source?

> Updated on 2018-04-24 with a link to the Elastic License

> Open source licensing maintains a strict definition from the Open Source Initiative (OSI).

> As of 6.3, the X-Pack code is open under the Elastic License. However, it will not be 'open source' as it will not be covered by an OSI approved license. The interaction model for open X-Pack will be identical to the open source Elastic Stack, including the ability to inspect code, create issues and open pull requests via our existing GitHub repositories.

[1] https://www.elastic.co/what-is/open-x-pack

> I think "OSI Approved Open Source License" could easily be an OSI trademark, if it's not already.

Something along those lines is trademarked

I think there are valid differences in opinion in what “open source” means and an organization with an agenda shouldn’t try to own the terminology.
> I think there are valid differences in opinion in what “open source” means

Disagree. It's a well standardised term of art: it means what the OSI define it to mean. It's pretty precise, and is not a meaningless marketing term like premium. Similarly free software (and especially Free Software) means what the FSF defines it to mean.

When people start using these terms to mean whatever they feel like it should mean, it muddies the waters for those of us trying to have serious discussions about these topics. Tellingly, such redefinitions are generally broader than the accepted OSI definition, so as to include whatever product someone is trying to push.

> Tellingly, such redefinitions are generally broader than the accepted OSI definition, so as to include whatever product someone is trying to push.

I disagree. In fact I'll present the counter example of "myself". I don't agree with the OSIs definition of open source, I think it run contrary to the plain meaning of the term, and is contrary to pre-OSI use of the term. I've argued that numerous times on this forum (and I'm going to avoid repeating these arguments in depth here, just google "gpm Open Source site:news.ycombinator.com"/"gpm Open Source site:lobste.rs" and you will be able to find the arguments).

I have never pushed a product claiming to be open source that does not meet the OSIs definition, nor do I anticipate I ever will, since that seems to be a great way to make discussions about the product devolve into arguments about licensing, which is terrible advertising.

The fact that these arguments usually only come up when there is a reason to argue, i.e. someone has used the term in a way outside of the OSIs definition, does not mean that people only think the right definition of the term is something else when it's for their own benefit.

Frankly I don't get why OSI proponents are so angry about the use of the term Open Source, when they can just unambiguously use "OSI Approved License" instead.

It's borderline gatekeeping and it irks me to no end.

> It's borderline gatekeeping

No, it's a term-of-art. When people muddy the waters and try to undermine the standard terminology of a field, it's not some righteous struggle to liberate a term, it's just an obstacle to clear communication.

In aviation, flap is a precise term-of-art, and is never used interchangeably with aileron, despite that an aileron is plainly a kind of flap (in the colloquial sense). If you adopt your own definition of flap, to refer to both flaps and ailerons, no-one is going to sue you, but no-one is going to know what you're talking about. Your use of the term will be considered not merely different, but wrong.

Similarly, you could try telling a physicist that you consider the words power and force to be interchangeable. They're not going to sue you, but they're also not likely to entertain your deliberate misuse of standard terms.

Are pilots and physicists gatekeeping by being so insistent that you use their terms their way?

But it’s not a term of art, when it was first used it had a broad scope for more or less anything where source was made available to users of software.

The OSI definition is a newer more narrow definition adopted long after the term was in broad use.

And fundamentally, the literal meaning of the words open and source do not have connotations beyond the source being available for viewing.

Please cite this supposed earlier pre-OSI usage. Can you?
Apparently the OSI was founded February 1998, the same month the term open source was first coined [0][1]. The OSI says [2] The Open Source Definition was then created during the launch of the OSI in Feb. 1998 by revising the DFSG and removing Debian-specific references.

This seems to indicate that the OSI's precise definition was pretty much there from the beginning, unless they didn't really coin the term open source and it was floating around beforehand. I've heard from others that open source was in use before the OSI definition, so perhaps that's the case.

As I mention in my response though, I don't think the term's early history much matters.

[0] https://en.wikipedia.org/wiki/Open_source#Origins

[1] https://web.archive.org/web/20021001164015/http://www.openso...

[2] https://opensource.org/history

You say you’ve heard that but you cannot find the proof, because if it was in use, it was only used occasionally. They coined the term and they gave it the definition.
> when it was first used it had a broad scope for more or less anything where source was made available to users

I'm not sure the early history of the term really matters. Presumably early aeronautical engineers and early physicists had to all agree on the terms of their field. It's fortunate that they did so, and now that their field is mature, their terms are clear and unambiguous.

Someone without an education in physics might not be able to intuit that physicists use the terms strength, hardness, and toughness in distinct and precise ways.

> The OSI definition is a newer more narrow definition adopted long after the term was in broad use.

I'd say it's a more considered, more precise, more meaningful definition.

> the literal meaning of the words open and source do not have connotations beyond the source being available for viewing

I already gave the example of flap, a precise term-of-art in aviation that reuses a non-technical English word in a way that cannot simply be intuited.

I also don't see that open needs to be a synonym of viewable. I think it's fine that open be used to refer to something broader, as in the Open University for instance. [0]

[0] https://en.wikipedia.org/wiki/Open_University

I don't think we really need that. The current solution works relatively well: anyone using open source in a sense other than that described by the OSI, is reliably met with a hailstorm of criticism on HackerNews for being disingenuous. That's as it should be. It's a term of art in the software world, and we don't insist on legal enforcement of every term of art.

I tend to capitalise the term, Open Source, to emphasise that I'm using it an a precise way. I do the same with Free Software. Not ironclad, but I figure it probably helps.

With all of that said, I don't think anyone should be permitted to deliberately mislead people when they're pushing a product. It's obviously right that false advertising is forbidden by law.

That’s what I used to think, but now more companies use “open” with non-OSI licenses and they aren’t run out of town and told STFU.

Personally, any project using “open” in the name that’s not OSI, I pretty much ignore. But it seems to be growing (eg, “open core”, “openai”, stuff like this taking about open with non-open licenses).

It’s getting hard to filter out. One of the benefits I think to CCn is that it clearly lets users know what is and is not allowed. Having OSIn might help with people who don’t read licenses for fun.

It's especially ... ironic, that they think Amazonification is not-ok, but Enterprizificaion (open core) is a-ok.

That said hosting ES is basically the same as building a carwash, or a gas station, or let's say a printing house. You get the machinery and build your own support services around it.

Even the unit economics are not that different. AWS spent probably millions of dollars to push the marginal price down. The initial cost of procurement for machinery might be zero for ES as opposed to buying a printing press, but none of the aforementioned sectors are limited by the cost of machinery. In case of brick and mortar services the cost of land, labor, construction, and logistics are all a lot more important.

Yes, okay, but what about AWS's advantage, their "moat"? Elastic will never be able to match that. This is the same problem that plagues the browser, phone OS (and other) markets. Google can easily spend a billion USD each year on fiddling with Chrome and Android. Mozilla, Canonical, KDE, and others can't.

AWS has the platform advantage, Google has money.

It seems these market forces virtually force ES to become a "public good" like the Linux kernel. (Or Elastic could try to fork it and stop using any kind of free/open/available license. And try to find business niches.)

But at this point the cat is out of the bag. Likely no amount of license engineering will be sufficient to overcome AWS' advantage.

The cloud providers would just build a competing service if they couldn't co-opt an existing popular open source solution. Or anoint an adjacent solution, like solr in the case of elasticsearch. But what can be done and we really haven't seen a "open-core" type infra component try this yet: is require open-sourcing changes. The opendistro approach sorta gets us there, in a hard-fork sense, but seems in adequate and is really only being done for connivence rather than licensing requirements. But we already have a licensing solution: the AGPL. But no enterprise or saas startup wants to touch AGPL software for the fear of it contaminating proprietary code. So it seems to me the solution is a hybrid APGL for cloud providers and apache/mit for others approach. Such a license seems feasible to write and would be superior to open-core for most users.
... a bit theoretical, but how is the GPLv3 with the anti-Tivo provision okay?

OSI definition 10: License must not restrict interface, and def. 9. License must not restrict other software it gets distributed with. (So I can't put my encrypted bootloader and verifier into the same thing.)

"OSI certified" doesn't mean shit regardless in a legal manner. It's just toilet paper. Always have your own legal review by IP lawyers.
Yep, it's also incompatible with virtually all copyleft open source licenses. So if you were using any AGPLv3 code with elastic you now have to switch to Amazon's fork.
Is incompatible with non-Affero GPL?
Yes, it's incompatible, although you might be fine if you aren't distributing it or running it as a service. SSPL requires re-licensing of all code to the SSPL, GPL has provisions that disallow re-licensing.

> the simple requirement that if you provide the product as a service, you must also publicly release any modifications as well as the source code of your management layers under SSPL

This provision is effectively impossible for anyone to comply with in practice. Calling this a "simple requirement" is a barefaced lie.

Especially that no independent party with any authority (ie. a court) determined what's covered under "management layers". If I use a custom kernel (that's optimized to run the JVM and has filesystem and block storage optimizations for ES), do I have to provide the source for that? (It seems trivial that it's not "management", but naturally Elastic's interest lies in arguing that yes, that are covered under management layers too.)
"with" Elastic how?

I doubt that is true, in fact it seems like a completely random FUD statement. At least GP tried to make heir FUD ambiguous.

This lack of clarity in law will likely result in huge issues in the sale of your startup if you ever go that route. Who wants to buy a potential lawsuit because of a database selection?
There are always "potential" lawsuits, and stripes already use many many licensed dependencies with various proprietary licenses.
This is true, and there are entire categories of licenses which are considered untouchable in an acquisition because of the risk associated with them.
I find these kind of obscure, “don’t worry” posts to increase my worrying. Part of the simplicity of open source is that it’s available for easy audit. Having to hire lawyers to use a product means I probably won’t use it.

I also think having people saying “we’re open, but read the fine print” is not good for open source collaboration as it increases confusion and complexity.

Elastic is moving the way of a commercial software company. That’s perfectly fine as it’s their company, but it’s just different than open source.

Yup. If you, understanding your product, your users, and your licensing, write a post for your users not to worry, it means that you thought about your changes and came to a well informed position that there was reason for worry.
The Hitchhiker's Guide to the Galaxy starts out with "Don't Worry". By the end of the sixth book in the trilogy find it was right to worry all along.
Or you might have a history of people being mad at you (for good reasons, like the story of security of the ELK stack). They know very well everybody will get mad again, so they precede all explanations by "don't worry".
Well, you try to make it sound unlikely, but it's exactly like corporate messaging that there are no plans for layoffs in the wake of bad financial news.

The idea that a license change made to prevent competition and enable a business model centered around extracting monopoly rents from customers has no effect on customers is ludicrous. It's whole point is to have an adverse effect on customers.

So what should we be using instead of elasticsearch for logs? To mitigate that licensing risk?
ClickHouse. It's Apache 2.0 and will stay that way.

Edit to add disclaimer: I work on ClickHouse.

Using an AGPL-licensed fork does not suffer from this risk.
We're using Grafana and Loki to great effect.
Loki and grafana are great, use it on all my clients eks clusters.
The open source world needs to come together and create a license that is well crafted. Otherwise we will keep seeing these less suitable licenses.

So far the FOSS world seems to be pretending this problem doesn’t exist. Pretending a problem doesn’t exist doesn’t make the problem go away. It makes you go away as you become irrelevant.

There is the AGPL, but it's not quite right. It also has the letters G-P-L in it, which spooks a ton of people still influenced by Microsoft's billion dollars worth of anti-GPL FUD. (I'm convinced you could just rename the GPL and all those problems would go away.)

> The open source world needs to come together and create a license that is well crafted.

It has created several.

It hasn't created licenses well-crafted for purposes directly contrary to the purpose of having open source software, because that's not what the open source community is interested in.

> So far the FOSS world seems to be pretending this problem doesn’t exist.

From the point of view of the FOSS world, the issue here is not a problem; creators having an exclusive ability to monetize software as a service isn't a purpose open source is intended to serve; in fact, avoiding the lock-in that results from such exclusivity is a big part of the point.

> From the point of view of the FOSS world, the issue here is not a problem; creators having an exclusive ability to monetize software as a service isn't a purpose open source is intended to serve; in fact, avoiding the lock-in that results from such exclusivity is a big part of the point.

If the creators get nothing, then why bother? Why slave away to make software just to give free labor to billion dollar companies while you get nothing? Is free labor for Amazon what open source is about?

If open source refuses to adapt to the realities of today's software ecosystem, it will die out... or at least "serious" open source projects will die out and all that will remain is hobbyist level stuff, abandonware, and half-done academic projects.

Personally I do think FOSS in its present form is going to die for most major projects. You'll still see FOSS libraries, building blocks, academic projects, and some major projects that really are large and old enough to have enough real grassroots contributors to keep them going. For major projects in the future you're going to have something more like a shareware model but with source-available.

Nobody creating a new large-scale project today is going to give it a license that they know will result in somebody else productizing it, making a fortune, and giving them nothing. At least Amazon acknowledges where things came from... in some cases the productizers even rename the project and don't even give the author credit.

FOSS and its gift culture ethos just isn't working in today's world. The software market of today is a dark forest.

> FOSS and its gift culture ethos just isn't working in today's world.

It absolutely is working the same way it always has (to which “gift culture” matters only around the edges). It doesn't work for people who want to start a business with a business model of using copyright law to extract monopoly rents, but then, it never has, and that's always been the point.

And, yes, it's not, for that reason, a good fit for narrow software entrepreneurship, but that's always been the domain of proprietary software.

What's new is startups building on OSS to build mind share, and then trying to shift to rent extraction while wanting to pretend to still be interested in OSS.

I don't think I totally disagree, but here's the problem: if OSS is not a good fit for software entrepreneurship, then it puts a really severe cap on how advanced, polished, easy to use, or well supported OSS can be, because pushing really hard on software development and implementing tens of thousands of hours of fine-grained polish is far beyond what the vast majority of people can afford to (or are willing to) volunteer for free.

It places really polished products beyond the realm of OSS. If you're fine with that, then there's no problem. Perhaps OSS has achieved its goal, namely creating a free and open software ecosystem for nerds and by nerds.

I can't think of a single OSS project used (directly) by a large number of the general public that does not have a company behind it. I think that says something.

> if OSS is not a good fit for software entrepreneurship, then it puts a really severe cap on how advanced, polished, easy to use, or well supported OSS can be, because pushing really hard on software development and implementing tens of thousands of hours of fine-grained polish is far beyond what the vast majority of people can afford to (or are willing to) volunteer for free.

Even if they start out as labors of love, OSS that gets beyond the niche stage tends not to have most work done “for free”, it's done (or paid for) by people/firms who are using the software in their business, but where the software is supporting, not the thing being sold. (Whether the OSS is infrastructure that is invisible to customers, or whether what is being sold is support and professional services tied to the OSS software.)

Very few OSS projects get popular enough and are structurally amenable to that kind of group contribution scenario. Of those that are, in most cases it results in an unusable hodge podge of crap rather than a well crafted product.
> Very few OSS projects get popular enough and are structurally amenable to that kind of group contribution scenario.

Yes, very few open source projects ever move out of the fringes of relevance. That's always been true. The idea that there has been some radical change making OSS less relevant is just false; what has happened is that OSS has gotten enough mindshare that people who want to use business models that OSS has never been a good fit want to use OSS as an early marketing gimmick, and then pivot out of it without paying a price for not being OSS. And are upset that people who do care about OSS are calling them on their B.S. when they try it.

I think we have a very different view about the goals of OSS then, and I think your idea of its goals is narrower.

I wish all software could be at least source-available and preferably available under even more liberal terms if that could be made to work. That way we could see how things work, learn from things, debug with the benefit of source, port things to different platforms or fix platform problems without waiting for the vendor, contribute if for no other reason than experience, and preserve software after vendors go belly-up without having to resort to emulating old platforms whole cloth.

I also wish there was mainstream adoption of open software for privacy and security reasons. I wish people could use operating systems, web browsers, messengers, and so on whose source could be audited so people could understand privacy implications.

That would all give us more freedom and more transparency, but it also requires a business model to sustain those kinds of projects. As it stands nobody outside geekdom uses open source software because there is no business model to sustain OSS with the degree of polish demanded by end users.

> It doesn't matter what they say, read the license.

I would love to but the terms within the ElasticSearch codebase on Github are quite confusing. Here's the text of the LICENCE.TXT file.

  Source code in this repository is covered by one of three licenses: (i) the
  Apache License 2.0 (ii) an Apache License 2.0 compatible license (iii) the
  Elastic License. The default license throughout the repository is Apache License
  2.0 unless the header specifies another license. Elastic Licensed code is found
  only in the x-pack directory.

  The build produces two sets of binaries - one set that falls under the Elastic
  License and another set that falls under Apache License 2.0. The binaries that
  contain `-oss` in the artifact name are licensed under Apache License 2.0 and
  these binaries do not package any code from the x-pack directory.
Aside from not showing copies of the applicable licenses, it seems you have to read the code headers to determine which source file has which license. There are a lot of ways to respond to competitive threats from Amazon, but this approach is increasingly chaotic the closer you look.

[1] https://github.com/elastic/elasticsearch/blob/master/LICENSE...

Does this even work? ES was considered 'one work' at some point, right? It's developed together, not file-by-file. How is it possible then to license it file-by-file? Wouldn't most of those files be derivative works of the old 'one work' anyway? (Meaning they have to keep the original license, meaning "the default license, Apache License 2.0"?)

Sure, at some point someone started to create a plugin for ES (let's say the security/ACL thing in x-pack, used to be called Shield or something like that), they used the ES API and they used runtime linking. (I have no idea if that's okay or not, has been tested in court or not. I know the US Supreme Court will say something about that in June.) But when developing any feature in that plugin nobody thinks of just that plugin. Folks think about ES as a whole, indexes, shards, documents, terms, maybe even in terms of low-level Lucene primitives.

I think it's practically impossible to wear the OSS and the proprietary hat at the same time. (Or separately but on the same project.)

If ES is the sole copyright holder, they can license it to whomever they wish under whatever license they wish. IANAL, but it seems perfectly coherent to me that they can say "If you build the software this way, we release it to you under X license. If you build it that way, we release it under Y license."
It sounds like everything outside of the x-pack directory is Apache or compatible with Apache, so the -oss binaries are Apache
Open-source and free software licenses don't imply that the source must remain served on some site, and it doesn't imply that the license for the code cannot change for future versions of that code necessarily- as it depends on the license and/or other factors.

But if you have a copy of the license and the code and it permitted use of it perpetually, then it can continue to be used. That's my understanding.

The license change to the dual-license with SSPL and Elastic License hasn't happened — this is the state so far and all the code outside the `x-pack` folder is Apache v2 licensed.

Going forward the repository will have a dual-license and the top image on https://www.elastic.co/pricing/faq/licensing can hopefully explain that better.

[Disclaimer: I work for Elastic]

So what would be your advice for them in this situation? They are developing a product for Amazon for free, Amazon is making tons of money on it and they don't receive anything back.
The problem of the known open source licenses (vs this no-precedent one) is that they were made long time ago for other situations and they do a poor job at protecting open source authors from the abuse that we see from Amazon and similar.
I'm confused by the "abuse" part. If I think the author of the GPLed project "foobar" is a jerk, and I fork it and maintain it without colaborating with foobar's original author, am I "abusing" the GPL?

Personally, I don't think so, and I think I should have the right to do so. I wonder how this is different from Amazon behavior here. (I want to make clear that I'm not saying Shay or anybody at elastic is anything. This is for the sake of the example.)

Now foobar's author can stop me from using his project name by registering a trademark on it. But the GPL is working as intented.

At the end, "maintaning" a fork of Elastic is wasted engineering effort and time, it would be better to collaborate. But I personally think Elastic should just ignore Amazon and keep doing what their doing, instead of making their product proprietary.

I never said forking is abusing. But if you fork it, position it as an official product with the same name on your platform and lie on twitter saying that your foobar was a collaboration with the original foobar author then yes, you are definitely abusing your power.

On the other point: "the GPL is working as intented" yes but not as the authors want, hence the change of license! Nothing wrong with that IMHO.

As I said, foobar's author can sue me over trademarks in the situation you've described.
Switching to SSPL feels more like retribution than a fix for the problem. But sadly nothing can be done if Amazon is willing to flagrantly steal your trademark.

At least switching to SSPL might bubble the related trademark issue up to a higher-paid set of lawyers within the Amazon monstrosity, and maybe it'll get resolved.

This is fine.

No seriously. Hear me out.

If you are a proponent of capitalism then this is how the system works.

The little fish grow into big fish. The big fish eat the little fish. The ecosystem suffers.

It has always been this way. Many of us remember Microsoft in the nineties. Fewer will remember the phone or oil industry doing the same.

Don’t fight this issue. Fight the system that tolerates this pattern. Money in politics, high cost of litigation are both the real concerns.

Your examples from the past were all knocked down (MS) or broken apart to keep the market available to competitors. Are you saying we should do this or just get money out of politics?
MSFT was broken apart. The DOJ trial only began after a decade of microsoft abusing their market position and destroying numerous companies.

I'm saying large industry has undue influence over the regulators and so action only comes when companies like Elastic have gone bankrupt.

There are no better alternatives.

And about the ElasticSearch, they should have just used a different license.

Reflecting on this more I think capitalism is the wrong word. Completely unregulated markets is what is really the issue. It leads to the incumbents extracting all the profit and then using their monopoly position to extract rents for the next few decades.
Would ElasticSearch have gotten as popular as it has if they had used a non-opensource license from the start?
> There are no better alternatives.

That's a strong claim - evidence?

> And about the ElasticSearch, they should have just used a different license.

Hindsight and all that. Not saying I fully agree with Elastic's approach, especially the license uncertainly it creates as noted elsewhere in the thread. But Amazon seems to have gone beyond "hey, this open source, nothing to stop us offering it" here. From The CTO's suggestion Elastic was a partner, to questionable trademark infringement, to potential copying of closed source code. If you read the article, it's notable that Elasticsearch continue to have working relationships with Azure and Google among others.

So there's more to this than just "should've used a different license".

Capitalism is simply an economic system defined by private ownership of the means of production. I'm not sure you are using capitalism correctly here.
You are right. I think it's that we allow companies to become dominant in their industry and abuse their market position. I incorrectly called out capitalism when it's really unregulated markets combined with a legal system that makes it possible for large companies to avoid consequences, or at least defer consequences until they've wiped out their competition that the consequence is merely a minor fine.
Meh, I'm not convinced that other systems will be fundamentally better

Humans are flawed, the systems they build will be flawed, flaws will wax and wane with circumstances, possibly waxing to the point of intolerability and then they break and are replaced with something else.

Paradise remains fundamentally always out of reach.

And yet there are good moments, good relationships, little pieces of life that are priceless. So I think it makes sense to carve out little niches in life where things work nicely or to try to make things work better on small issues.

I am interested to see how long or if Elastic sticks around after this. If people will just move on to another AWS product or if they'll keep using Elasticsearch.
I think it depends on whether Amazon wants to start funding development of their fork. I think under this new license, Amazon can’t just bring over changes from elastic any more.

If Amazon commits to dev work then their project might be the one that survives since it’s actually OSS and more capable of being used in more products.

But if they don’t then it will drift and not be very useful any longer.

I don't think most of Amazon's behavior actually violates any norms and values of traditional open source communities.

I think instead we are finding that norms and values of traditional open source communities are in some ways contradictory/inconsistent; that there can be competing interests where it isn't true that either one of them is the one that "opensource norms and values" privileges; or that the traditional "norms and values" don't necessary lead to the world that enthusiasts had fantasized about.

In a lot of these discussions, I think the underlying basic thing is that some are alleging, often implicitly, that included in the "norms and values of open source" are that if anyone is making money from value provided by open source, it should be authors of that open source, or at least they should get a cut.

I don't think that is in fact one of the traditional norms and values of open source community. In some ways it's even counter to the tradition.

The actual world/ecosystem around open source has evolved to be very different than the one imagined by traditional norms and values though. Compare to how apache httpd was originally written -- 6 or 8 people, each from a different organization, collaborated on company time each getting paid by their employer, to produce something of value to all of their employers, where the only desired 'profit' was the thing being available for all to use.

That is sort of a stereotypical traditional fantasy of open source. It is of software being created without a profit motive, in an ecosystem where people would contribute to such things on 'company time' (they had a steady salary from some company already). The more people using the software you wrote, the better, and you never wanted a cut of their profits -- that is the fantasy of traditional open source norms and values.

That is not the world we ended up with though.

So the problem is that now it is "obvious" to some people that if we wrote the the thing, and then formed a company around that thing we wrote -- it's not "fair" if someone else is making money from it without giving us a cut.

But this isn't a value encoded into open source licenses at all, and that wasn't an oversight, it was intentional because this wasn't in fact a traditional "norm and value" of open source at all, and in fact it is in some ways counter to the actual traditional norms and values, one of which I would say was: Your desire to make a profit from this code should not in fact be allowed to prevent anyone else from using it. It is ElasticSearch which is acting contradictory to norms and values of open source in believing nobody should be able to use their software without giving them a cut of profits from it.

These disputes will keep happening, not because some companies are violating the "norms and values" of open source, but because the actual traditional norms and values of open source are increasingly unable to power a sustainable economy where people can get paid (in the manner they think they deserve?) while producing open source.

Amazon doesn't give back to open source maintainers at all. They take and take with no return. This isn't normal in the open source community.
I’m not sure if this is true. It looks like Amazon makes lots of contributions to open source [0][1]. They don’t literally contribute to every project they use, but think they add lots to the ecosystem.

But even if they contributed nothing at all, that’s part of open source in that it’s free for everyone to use regardless of anything else, depending on the license.

I think it’s a virtuous byproduct that all this free, allowed use leads to people contributing more open source. Not because of compulsion, but through a shared philosophy.

[0] https://aws.amazon.com/opensource/ [1] https://news.ycombinator.com/item?id=9358843

SO many people and companies make money off of ("take") open source projects like apache httpd, postgresql, or even linux itself, without "giving back". So many companies have stacks based on these software, stacks they make money from, who never would even consider sending a patch back to postgresql or apache httpd or what have you.

Is this considered against typical open source norms and values?

If not, what makes this situation different?

So one difference people talk about is that your stack might be based on postgresql and you might sell a service, but you aren't actually selling postgresql as a service. OK... but I suspect there are people selling (especially) postgresql or mysql as a service, without ever sending patches back; say, a traditional kind of PHP web host, right? This hasn't to my knowledge led to much controversy; or the idea that their entire webhosting/dashboard/management layer has to be open source if they provide postgresql. What's the difference?

I am not saying there can't be a difference, there are all sorts of differences always. But in elucidating what the pertinent/meaningful difference is, we actually are clear about what we think, instead of just a gut-reaction "I don't like amazon and I don't think they should be able to profit off of elasticsearch" -- cause that IMO doesn't have anything to do with "opensource values and norms".

I think, again, is that the real problem is that the traditional models of open source, the traditional norms and vlaues of open source, are becoming less and less capable of supporting sustainability and proper income for open source development. (Which reminds me of the OpenSSL problem of course. Is everyone who uses OpenSSL, which means like everyone, violating "norms and values" if they don't send patches back? Obviously not).

So I guess the options are now to use the “OpenDistro” [0] or the SSPL distro maintained by Elastic.

It’s too bad that Elastic is no longer open source, but respect the companies choice to close source their stuff.

Will be interesting if Amazon just maintains their fork or abandons it to make something else.

I’m not familiar with elastic as a project and not sure how many community contributions they have, but expect that to shrink as I’m not sure many OSS developers will freely contribute to non-OSS projects.

As for trademark stuff, I expect a renaming like Hudson/Jenkins.

[0] https://github.com/opendistro-for-elasticsearch

Elastic is still open source for anyone but Amazon or other cloud providers trying to resell their work.
The source code is freely accessible and you can use it for free.

What's the difference to you as a user? Or are you simply concerned about Amazon?

I make products that use that package. I want all the packages I depend on to be compatible with my license. I don’t want to run into an audit years from now during due diligence that I have some liability from an incompatible license.

I can’t afford lawyers to determine compatibility today. And I suspect that they would say “not compatible, pay to be safe.”

That’s the difference to me as a user.

This sounds more like an issue with the licensing world itself than with this license, which by itself is pretty simple and won't affect you except in the case you offer your products containing Elastic as a service to third parties.
I don’t have have that problem with well known licenses like OSI or proprietary, commercial licenses.
I think you are grossly over estimating the contributions that the general community has to open source. Theres a company behind this project and they do most of the maintenance work.
Yep, this happens with alot of open source. Either a big company maintains a project through paid engineers. OR some poor guy gets burnt out because everyone is demanding free changes to some OSS package constantly without providing PR/MRs.
Exactly, which is why I hope Elastic manages to beat Amazon wih this tactic since it then can be a playbook for OSS companies. In general OSS is fantastic whether free or paid and I genuinely want companies like Elastic to succeed. This whole free software thing is stupid and it is sad to see talented devs getting burnt out because people are cheap to pay for software.
Interesting, especially in comparison with other motions for Open Source via AWS. Mongo is the other big name that comes to mind, as well as Redis.
It seems like Amazon is using their retail strategy here. It is basically white labeling the product. Just find a popular product. Copy the apis and call it amazon x. Open source license make it even easier.
Which is fine as long as they respect the license e.g. keep the result software open source. Amazon is selling compute hours, not software.
In short, Amazon don't follow law of trademarks. Then, Elastic instead of enforcing their rights in court, changes license in hope that Amazon will follow law of copyright. How do they expect it will work? I don't get it.
> We’ve tried every avenue available including going through the courts
(comment deleted)
> Our license change is aimed at preventing companies from taking our Elasticsearch and Kibana products and providing them directly as a service without collaborating with us.

I feel like I just said this a few days ago: https://news.ycombinator.com/item?id=25796849

The main value of open source to businesses is that support is truly commodified and there is no one with a stranglehold on it. ElasticSearch is trying to remove what makes open source appealing to businesses. No one wants to build their infrastructure on something with expensive IBM/Oracle-costing support. Basically, from now on, ElasticSearch has removed that benefit from their product and businesses are at risk. It's now much less appealing... is the remaining niche profitable? Only time will tell.

Note, why businesses find open-source appealing is not why developers find it appealing, or private individuals.

I'll be honest, I've never heard a single business say the reason they use open source is because support is commodified. It's generally cost or functionality, and quite frankly they want a go-to support expert, not a list of support options.

Redhat didn't become huge because people had all sorts of options for third party support. In fact, I can't say I've ever come across a single enterprise who: uses third party support for their RHEL installed base, has asked for third party support for their RHEL installed base.

CentOS and WhiteBox Linux were 3rd party sources of RHEL and to a large part Linux distros are interchangeable which makes them commodities. Not perfect commodities, but still close. RHEL with subscription vs Debian & burdening yours ops guys are choices available. VMS has no such choice.
But he didn't say: businesses use open source because they can find compatible binaries from multiple entities. He said it commodified support. CentOS and WhiteBox never promised or offered enterprise support agreements that I'm aware of. And if they did, I can't say I ever ran across anyone utilizing it in the wild.
>The main value of open source to businesses is that support is truly commodified

No, Thats not true at all. Most open source companies survive off of support contracts. It's why companies choose rhel over centos.

(comment deleted)
> No one wants to build their infrastructure on something with expensive IBM/Oracle-costing support.

What's stopping you from running Elastic without paying for support under the new license?

You might need to open-source your entire service.
In a narrow set of use cases, yes. In the vast majority of use cases---building applications with Elastic for data---no.
Elastic has the same problem that MongoDB has with Amazon: Amazon is commoditizing their product on a massive scale.

"Smart companies try to commoditize their products’ complements."

https://www.joelonsoftware.com/2002/06/12/strategy-letter-v/

Not sure what other alternatives are there besides changing licensing.

Given that aws just built DocumentDB, I am not sure if the licensing changing anything. I would even say that this choice actually hurts MongoDB because I am less likely to choose it since they have less practical hosting solutions.
If Oracle wins against Google, presumably DocumentDB would be infringing in the same manner, as DocumentDB also is a drop-in replacement adhering to the same API.
I still didn't decide if it would be a good a or bad thing actually.
AWS have recently invested in DevRel and open-source evangelist type employees (to be found on twitter much of the time). I assume they understand better than anybody that the dev and startup dollar is enormous and crucial to their future success. This type of thing - and their past willingness to leach off open-source - has to have a marketing and sales impact - at least at the 'startup' top of the funnel. Is it sufficient to push AWS to change direction? Would be good to see a RocksDB, Cassandra or the likes emerge from AWS.
Could this potentially drive users to the Amazon fork? If I'm a business that may be impacted due to the licensing change, it would seem my safest (legal) option would be to freeze on the last version with a friendly license and then transition to the Amazon fork, since it will probably stay under a more open license. While maybe not the smartest technical decision, from a business standpoint it seems like a reasonable insurance policy, at least until someone else tests the waters in court.

Amazon doesn't have any interest in making their version closed because they want the money from hosting. Even if the product isn't that great, it's super easy if I'm already 100% in on AWS anyway (not necessarily reality, but it is an easy conversation to have and the service should be big enough to warrant investment from AWS).

I applaud the stand they are taking and it will be interesting to see how this plays out.

> Could this potentially drive users to the Amazon fork?

If they're dumb, yes.

As stated in their blog, changes apply pretty much only if you're either embed or redistribute elasticsearch/kibana. And these are two specific use-cases btw.

If you're already a customer, nothing changes.

Find me one lawyer who is going to be convinced by this blog post. There is a blanket no for using SSPL software at every company I know.
Open Distro is not a fork but simply a repackaging of ES with some additional modules.

However there doesn't seem to be many options left now but for Open Distro to become a complete fork of ES.

The notion of Open Distro for ES being "a fork" is, in my opinion and as of last I checked, overblown. Yes, they bundle a bunch of freely licensed stuff to make up for features that Elastic themselves have paywalled off (or sealed behind their free-to-use, but non-libre, custom license where they don't show/include sources either), but they rely on and effectively install the (hitherto) Apache-licensed upstream release of ElasticSearch, as published by Elastic.

Also, if you take a closer look at Open Distro, you will quickly come to the conclusion that you really do not want to deploy what drops out of there. The RPM package does CRAZY stuff that made me exhale audibly enough for coworkers to notice - like spawning a postinstall shellscript that `wget`s a .so for/from an optional library that the Open Distro release team put into an S3 bucket, and then `mv`ing that downloaded file (iirc even without any content verification; so the content could be your proxy's captive portal markup, for all they know) into (again, iirc) /usr/lib. That is from WITHIN AN RPM PACKAGE, mind you, where you could and should really just carry that file yourself.

That and other minor troubles with the tooling surrounding the actual product (ES) made me abandon Open Distro fairly quickly. Which is a shame, since a really freely licensed spin of ES with "Enterprise" features would indeed be very nice to have.

How would the captive portal intercept s3 tls calls successfully?
TLS in enterprise settings is commonly intercepted by TLS/HTTPS proxies that create trusted (by the OS's local trust store) certificates for proxied peers on the fly. Banks often do this - the one I work for, for instance.
The proxy should be verifying the cert of the connection it's proxying to so it has to either be malicious or buggy where it corrupts the software.

The proxy won't connect to bank.com with an invalid cert unless it's configured incorrectly (but the same is true of the OS anyway)

"Should" is such a beautiful concept ;)

The McAfee-based proxy we have SOMETIMES (I guess it depends on the content-type and the length of the upstream response) renders a kind of "intermediate" HTML document as the response body, where the human user is supposed to click on a link that makes the UA download the originally requested resource from an internal, ad-hoc mirror. I guess that is due to some virus scanning snake oil.

At any rate, what the packages at Amazon did there is just right up in "that is crazy"-territory.

It doesn't have to, can just serve anything - if the client code doesn't check certificates...
(comment deleted)
(comment deleted)
You should consider opening an issue on their github [0]?

AWS, from what I know, takes security seriously, and given they themselves use OpenDistro internally, this should become a top priority for them.

[0] https://github.com/opendistro-for-elasticsearch/opendistro-b...

Have you ever found confirmation that they use OpenDistro internally? I've looked and have been unable to find such a statement.
Though there's no confirmation I could find, there's an indication that they may/are:

Let’s take a quick look at the features that we are including in Open Distro for Elasticsearch. Some of these are currently available in Amazon Elasticsearch Service; others will become available in future updates.

https://aws.amazon.com/blogs/aws/new-open-distro-for-elastic...

> Could this potentially drive users to the Amazon fork?

Um, about that...

> When Amazon announced their Open Distro for Elasticsearch fork, they used code that we believe was copied by a third party from our commercial code and provided it as part of the Open Distro project. We believe this further divided our community and drove additional confusion.

It's interesting that they phrased it like that. If they were confident about this, they would easily be able to prove this in court and it would be a very simple case of copyright infringement right?
If IBM v. SCO taught us anything, it should have taught us that "easily... prove" and "in court" do not belong in the same sentence. The case SHOULD have been thrown out in 5 minutes due to lack of merit, which ANY programmer could see. Instead, it took FOURTEEN YEARS to decide, and is STILL working through appeals. Microsoft funded the litigation, and the scumbag executives of SCO continued to get paid through most of this charade. It all still makes my blood boil.
Yeah I'm not sure how much weight this holds, especially considering one paragraph later they transition into accusing Amazon of being "inspired" by their commercial features.
They have a lawsuit open against the third party. I would presume that "inspired" is covering themselves from libel until they have a judgment that this happened (assuming it appears).
They're currently suing the third party mentioned.
Since AWS implies that Elastic is involved in the offering, I'd sue AWS for defamation. Having your name associated with a AWS service, and such a shitty service at that, cannot be good for your business.
Well they are using elastic code freely given away with a few small additions, is that not involved enough?