ElasticSearch License Change ASLv2 to SSPL

[David E Jones]

Briefly: all releases after 7.10 (starting with 7.11) are SSPL licensed rather than Apache 2.0.

Here is one article on the topic, thanks to Bilgin Ibryam for sharing this:

https://anonymoushash.vmbrasseur.com/2021/01/14/elasticsearch-and-kibana-are-now-business-risks

For those not familiar with SSPL it is sort of like AGPL (Affero GPL) but with terms meant specifically to take down hosting company services based on the open source software. If you paid attention to the MongoDB debacle with SSPL you might remember it. For those using AWS ElasticSearch Service this might have a direct impact, I don't know what AWS will do with this. 

For Moqui what this means is still a question. To be safe for now stick to versions that are Apache 2 licensed (7.10 and earlier; not sure about ES 6.x minor releases).

This is one of the reasons for the Moqui architectural goal of NOT using provided libraries for external systems and instead only interacting through their exposed APIs, like the JSON over HTTP API in ElasticSearch.

For most open source licenses that separation of systems is plenty, but I don't know if the SSPL terms will shake out this way. It does not seem that Elastic Co intends to go after projects like Moqui, or users of ElasticSearch like most Moqui users, but who knows. Time will tell and only then might such legal terms be tested.

For comparison, MySQL is GPL licensed, as is the MySQL Connector/J JDBC driver. BTW, this is one of the reasons the MySQL JDBC driver JAR file will never be included in any Moqui Ecosystem component build.gradle files, even if Moqui only interacts with that JAR file through JDBC interfaces. This might be comparable, but the JDBC interfaces that Moqui uses to communicate with MySQL are more open so it could possibly be different with code that relies on a proprietary API like the ElasticSearch REST API.

To be clear I don't think this is or will be an issue for Moqui or most Moqui users, but what I think doesn't really matter than much so this is a heads up on this critical change.

FWIW the worst case scenario would be we just strip out everything to do with ElasticSearch and move to something like SOLR. That will be somewhat difficult because there are significant concept and convention differences between ES and SOLR, even if at a high level they do similar things and are both based on Lucene.

-David

[Taher Alkhateeb]

Hi David,

I'm not sure, but it seems Amazon are forking ES to maintain Apache license [1] [2] so maybe this is good news for us?

[1] https://opendistro.github.io/for-elasticsearch/
[2] https://aws.amazon.com/blogs/opensource/stepping-up-for-a-truly-open-source-elasticsearch/

--
Taher Alkhateeb

--
You received this message because you are subscribed to the Google Groups "Moqui Ecosystem" group.
To unsubscribe from this group and stop receiving emails from it, send an email to moqui+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/moqui/CAKBdU9cNwZW4Z5QCmXF%3D85A1HCa1ftpbivf5%3DSD_Wx84n42hXA%40mail.gmail.com.

[David E Jones]

Hi Taher,

Yes, the AWS fork is one possible way forward. There may be issues over time with incompatibility, feature differences, etc between ES from Elastic and ES from AWS. Due to licensing we'd go with ES from AWS for any differences, but overall it creates a weird environment for the software.

It's hard to say at this point... my thought on it now is that Moqui can update to use ES 7.10 and just stop there for a while as we see how all of this shakes out. In other words I don't think enough has settled for any decision other than keep doing what we're doing and see what happens as the giants wrestle far above us.

Even with the now released ES 7.11 that is SSPL licensed I don't think Moqui itself has any licensing issues, but that is a very low standard for open source licensing policy because what really matters is the licensing restrictions that Moqui end users are subject to.

For now the main thing that Moqui users need to know is that if you deploy Moqui and point it to a server running the SSPL licensed version of ElasticSearch then you (and any legal counsel you can muster) should carefully review the terms of SSPL because it is pernicious and tries to extend not just to compile time bound like GPL/AGPL but also more general dependencies.

For what it's worth on my personal 'open source' or 'free software' philosophy it comes down to one thing: make it work without forcing anyone to do anything (aka violence is not the answer). By that standard copyright cannot be used as a tool for anything because the only purpose of copyright is to be able to force someone else to do, or not do, something. What does a collaborative software project need to force anyone to do, or not do?

Even the most open minded in open source don't agree with this and a common claim is 'we at least need a trademark!'. For what? What is a community driven open source project going to do with a trademark? Sue someone? For what? People talk about fraudulent use of a name... and yes fraud is a real world issue but in that case the open source project is a third party to the fraud case, not the victim or the perpetrator. How about slander and libel? For these the project might have legal standing, but do we want a legal entity with funding just to defend against people misrepresenting something that has massive amounts of public records of code and conversation.

I think Stallman has a lot of great ideas and has done a lot of great work, but GPL is not one of them. IMO GPL (and the derivatives based on it including the weird SSPL) are a lazy and ineffective solution to the wrong problem in software. GPL is an attempt to use force via enforcement of copyright law to get people to share. It is about punishing entities for not sharing, not about facilitating or encouraging collaboration. Further the mechanism to get people to share is force which is kindergarten level thinking, at best. Maybe I'm mostly alone in this thinking but I actually agree with the schoolyard teaching that violence is not a good solution to most problems, and nearly always makes problems worse.

In the case of GPL and all copyleft derivatives that are based on the idea time has proven the unintended consequences of the licensing scheme. This class of license is used by nearly all 'commercial open source' groups and has been used to turn 'open source' into a trite, small minded, budget friendly marketing term instead of the much more powerful concept of facilitating collaboration and sharing among potentially large groups of people for the benefit of both each and all.

Over time I've become much more mentally hostile to the idea of commercial open source, but that's mostly because it is currently the winning model and it's killing open source. The trend of commercial open source companies, like Elastic and Mongo and so on, going more and more closed over time after capturing some market share is the inevitable path when it was never collaborative open source in the first place.

Why is this killing collaborative open source? As a general trend it is moving resources away from anything that can, by any stretch of the imagination, be called 'open source'. To borrow concepts from Eric Raymond:

The Bazaar is empty. Its prior denizens have all built or joined Cathedrals.

If I turn this into an article that might make a good title... is it click baity enough for modern standards? Hmmm... the use of the word 'denizen' alone is likely to make the content pimping algorithms score it low.

-David

To view this discussion on the web visit https://groups.google.com/d/msgid/moqui/756a4fd5-0870-13e7-6ff7-4647bcb1dd07%40pythys.com.