[lol768]

>Why don’t you want to pay for a feature that you need?

It's irresponsible to charge for features such as transport security, in my opinion.

Want to charge for enterprise auditing, federation, reporting and granular access control? Fine, go right ahead. But withholding basic security features like transport security and basic access control that should be core leaves a bad taste in my mouth.

How many unsecured Elasticsearch servers have been popped, leading to data breaches as a direct result of this decision?

[zaphirplane]

That is manifestly unfair, the situation is someone doesn’t want to pay for a security feature so they go ahead and expose themselves, all the time they are trying to make money by using a free product.

Really unfair to point fingers at ES. And I really don’t get why People feel they should be making money off someone’s work but don’t have to pay them. What significant os or free is your company offering

Really and genuinely confusing, does the same approach work with your lawyer, mechanic plumber electricity gas company. They do something for free you demand more for free otherwise you are at risk.

Mechanic: I’ll do the oil filter for free

You: you must also replace the brake pads for free otherwise the car isn’t safe for me

Mechanic: Go ...

[Dylan16807]

A service like this is more like someone giving you a ride.

And if they don't have brake pads, and negligently get into a horrible wreck, one where they walk away unharmed while you are injured? You probably have a case there.

[pmart123]

When airbags first came out, only expensive cars had them. I wouldn't be surprised if side airbags are still only found in nicer cars.

This seems entirely different though. It's more like hitchhiking. When you pay for an Uber or Lyft, there's a level of safety expectations in the car. When you pay for a black car, there's a higher level of expectations. When you don't pay anything, you are using it at your own peril. Now, this could be a bad business model or poor mousetrap for adoption. I'm not arguing with that.

[zaphirplane]

A case ?

You want to sue an open source sw maker for not providing a feature for free because when you expose your ES to an insecure network without that feature you put yourself at risk ?

How about you don’t put your ES in an insecure network without buying the feature or pay someone to write the feature for you.

Your analogy is misleading and wrong, my mechanic one is better

How about this I offer you a stranger a ride to a location convenient to me for free, you take the ride then demand I drop you off at another location otherwise you will run in the middle of the road and hurt yourself

[Dylan16807]

Data security isn't as serious of an issue as loss of limb, so there wouldn't be any legal wrongdoing in normal circumstances.

And no, your analogy doesn't make any sense. You keep talking about doing one thing for free, and refusing to do an entirely separate thing. That's very different from doing a thing for free but in a dangerous way.

And I'm not saying anything should be free anyway. Just that if you offer a service, don't make it pointlessly dangerous as an upsell tactic.

[lol768]

> That is manifestly unfair, the situation is someone doesn’t want to pay for a security feature so they go ahead and expose themselves, all the time they are trying to make money by using a free product.

>Really unfair to point fingers at ES. And I really don’t get why People feel they should be making money off someone’s work but don’t have to pay them. What significant os or free is your company offering

Very much disagree with all of this - not an unfair position to take at all. My open source browser supports TLS. The open source web frameworks I work with include built-in web servers that support TLS. It's inexcusable not to support basic things like this in 2019. I don't care if your software is OSS or not.

I'm unsure why "my company" is relevant here. But for what it's worth, the client I currently work with is a) an exempt educational charity, b) open sources all of their internal web applications that interact with the ELK stack.

>They do something for free you demand more for free otherwise you are at risk.

Do you honestly think Elastic would've accepted a PR that added transport security into the open source codebase? Even if it was developed entirely by someone else in good faith?

The only reason they've done anything now is because their hand was forced by Amazon. Honestly? Good. This is about as bad as when StartCom were charging for certificate revocations.

>does the same approach work with your lawyer, mechanic plumber electricity gas company

It's like a lawyer offering to represent me pro bono, and then it turning out that they're not even qualified to practice law and have jeopardised my case as a result.

Legally, sure? There's no warranty given with the software. But it's still a morally wrong thing to do.