[Koha-bugs] [Bug 33353] Add compatibility with Elasticsearch 8

Mon May 15 11:48:03 CEST 2023

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33353

--- Comment #16 from David Liddle <david.liddle at wycliff.de> ---
(In reply to Victor Grousset/tuxayo from comment #15)

Hi, Victor, and thank you for following up!

> > 1. The version included by Koha appeared to be one that had reached end-of-life with the publisher
> 
> ES 7 and OpenSearch 1.X (which isn't eol) has been supported since a year.
> But we didn't update the systems requirements documentation (now it's
> finally updated) due to not having the time to search for real work usage to
> confidently claim support :-/

Our Koha installations represent a fraction of the systems that I support or
manage in my role. I have to judiciously balance the time and effort I give to
any single system. When considering the addition of a new software, I only do
so when that software is actively developed by the publisher, is clearly
supported on the target system, and has a well-documented
installation/integration process. Since I didn't see that with Elasticsearch
and Koha, I avoided it.

> > 2. Even the supported version had been associated with significant data breaches
> 
> You mean the log4j vulnerabilities? (latest 6.x patched them) or like bad
> defaults?
> Is your statement still valid for ES 7.x?

No, I believe log4j was a separate issue. The data breaches were in the news a
few years ago. Here's an example:
https://www.techradar.com/news/what-is-elasticsearch-and-why-is-it-involved-in-so-many-data-leaks
That article doesn't specify which CVEs were involved, but I wasn't about to
create a new installation with an old, unsupported (read: perhaps unpatched)
version that could _possibly_ make our system vulnerable to the exfiltration of
patron and staff data. That would be irresponsible, especially since some
portion of those people are under the protection of the EU GDPR.

> > 3. There seemed to be a lack of clarity following the change in licensing and the open source world's response to it.
> 
> Indeed! About that, to have more material to raise awareness about the
> issue, do you happen to know more about the open source world's response to
> it? Besides Debian, Fedora and the Open Source Initiative not considering
> the SSPL license libre/open source?

The details of whether or not ES truly can be considered 'open source' are not
actually important to me. Observing a general lack of clarity, and not knowing
the Koha development team's point of view on the matter, I couldn't be certain
of the future of ES with regards to Koha. In my situation, that caused me to
recommend against installing ES.

> > - Our production server runs 22.05, BUT I can imagine a willingness to leap forward a bit if OpenSearch is backported to 22.11.
> 
> You can do that right away with OpenSearch 1.x , 22.05 supported it on
> launch. Sorry again for the delay in advertising it's support.

That's why I was pleased to see this entry and the references to OpenSearch.
Once I see an open declaration of support for its usage, and once I see some
clear instructions for integrating it, I will be willing to install it on our
test server. I have to approach the matter cautiously to protect the correct
function of our systems – as well as my time and sanity.

Thanks again for your response! I just want to let you all have an idea how one
system administrator views the situation.

-- 
You are receiving this mail because:
You are watching all bug changes.