Why don’t you want to pay for a feature that you need?
The company that pays your wages makes money from selling something. Of course you sell what people need
>Why don’t you want to pay for a feature that you need?
It's irresponsible to charge for features such as transport security, in my opinion.
Want to charge for enterprise auditing, federation, reporting and granular access control? Fine, go right ahead. But withholding basic security features like transport security and basic access control that should be core leaves a bad taste in my mouth.
How many unsecured Elasticsearch servers have been popped, leading to data breaches as a direct result of this decision?
That is manifestly unfair, the situation is someone doesn’t want to pay for a security feature so they go ahead and expose themselves, all the time they are trying to make money by using a free product.
Really unfair to point fingers at ES. And I really don’t get why People feel they should be making money off someone’s work but don’t have to pay them. What significant os or free is your company offering
Really and genuinely confusing, does the same approach work with your lawyer, mechanic plumber electricity gas company.
They do something for free you demand more for free otherwise you are at risk.
Mechanic: I’ll do the oil filter for free
You: you must also replace the brake pads for free otherwise the car isn’t safe for me
A service like this is more like someone giving you a ride.
And if they don't have brake pads, and negligently get into a horrible wreck, one where they walk away unharmed while you are injured? You probably have a case there.
When airbags first came out, only expensive cars had them. I wouldn't be surprised if side airbags are still only found in nicer cars.
This seems entirely different though. It's more like hitchhiking. When you pay for an Uber or Lyft, there's a level of safety expectations in the car. When you pay for a black car, there's a higher level of expectations. When you don't pay anything, you are using it at your own peril. Now, this could be a bad business model or poor mousetrap for adoption. I'm not arguing with that.
You want to sue an open source sw maker for not providing a feature for free because when you expose your ES to an insecure network without that feature you put yourself at risk ?
How about you don’t put your ES in an insecure network without buying the feature or pay someone to write the feature for you.
Your analogy is misleading and wrong, my mechanic one is better
How about this I offer you a stranger a ride to a location convenient to me for free, you take the ride then demand I drop you off at another location otherwise you will run in the middle of the road and hurt yourself
Data security isn't as serious of an issue as loss of limb, so there wouldn't be any legal wrongdoing in normal circumstances.
And no, your analogy doesn't make any sense. You keep talking about doing one thing for free, and refusing to do an entirely separate thing. That's very different from doing a thing for free but in a dangerous way.
And I'm not saying anything should be free anyway. Just that if you offer a service, don't make it pointlessly dangerous as an upsell tactic.
> That is manifestly unfair, the situation is someone doesn’t want to pay for a security feature so they go ahead and expose themselves, all the time they are trying to make money by using a free product.
>Really unfair to point fingers at ES. And I really don’t get why People feel they should be making money off someone’s work but don’t have to pay them. What significant os or free is your company offering
Very much disagree with all of this - not an unfair position to take at all. My open source browser supports TLS. The open source web frameworks I work with include built-in web servers that support TLS. It's inexcusable not to support basic things like this in 2019. I don't care if your software is OSS or not.
I'm unsure why "my company" is relevant here. But for what it's worth, the client I currently work with is a) an exempt educational charity, b) open sources all of their internal web applications that interact with the ELK stack.
>They do something for free you demand more for free otherwise you are at risk.
Do you honestly think Elastic would've accepted a PR that added transport security into the open source codebase? Even if it was developed entirely by someone else in good faith?
The only reason they've done anything now is because their hand was forced by Amazon. Honestly? Good. This is about as bad as when StartCom were charging for certificate revocations.
>does the same approach work with your lawyer, mechanic plumber electricity gas company
It's like a lawyer offering to represent me pro bono, and then it turning out that they're not even qualified to practice law and have jeopardised my case as a result.
Legally, sure? There's no warranty given with the software. But it's still a morally wrong thing to do.
The last time i talked to Elasticsearch about pricing, it was so extremely expensive for our use case to the point of it basically being a non valid option for us.
I think what most people miss for these and similar services is you’re paying for really good, on call, white glove Elastic support. In my experience they can often go as for as to replace having a search specific ops team. The cloud hosting isn’t really where the value is.
I guess my issue is that we didn't want or need support. We just wanted x-pack features such as Auth and the Alerting plugins.
We were already hosting it fine ourselves on AWS, as we had devops people very familiar with ES. However the price they quoted us per year was insane for our cluster size for ~20 nodes.
I looked at the price of a Tesla the other day and thought it was too expensive.
doesn’t really say much, I could be in a bad financial position, Tesla could be expensive or I have a different preference to spending my money or I don’t love the environment enough ;)
Imagine if Facebook charged you $5 to reset your password.
TLS isn't like say, LDAP integration. One of those is a fancy enterprise feature you can totally charge for (and probably should), and one of those is a basic critical feature.
It would be unethical to charge $400/year to properly store user passwords as hashed instead of plaintext, wouldn't it?
It's irresponsible to charge for features such as transport security, in my opinion.
Want to charge for enterprise auditing, federation, reporting and granular access control? Fine, go right ahead. But withholding basic security features like transport security and basic access control that should be core leaves a bad taste in my mouth.
How many unsecured Elasticsearch servers have been popped, leading to data breaches as a direct result of this decision?