We at Sonatype take our responsibility as stewards of the Central Repository (Central) very seriously, and for well over a decade we have been dedicated to the ideal of immutability when it comes to serving components to the community that relies on Central. As the stewards of Central, it has long been our position that we would only consider removing components from the repository in the event of IP infringement or the presence of clearly malicious code.
Unfortunately today, due to an intellectual property dispute between two third parties, we find ourselves in a position where we are required to remove the disputed artifacts from Central.
Let me explain. Late last week, Sonatype received a Digital Millennium Copyright Act (DMCA) Takedown Notice from legal representatives of Elasticsearch, Inc. requesting that we remove the disputed components tied to Search Guard from Central. GitHub, where the Search Guard components were also available, received a similar notice.
Elasticsearch alleges that a German company, floragunn GmbH, has infringed on Elasticsearch’s intellectual property by directly copying source code from proprietary security features into the Search Guard plugin and making it available for download via Central and OSSRH (OSS Repository Hosting). Having reviewed the allegations with outside counsel, we have come to the conclusion that we are legally obligated to remove and disable access to the allegedly infringing floragunn content in order to comply with the DMCA. So, as of this morning, the components - containing what Elasticsearch alleges to be its proprietary source code - will be blocked from Central and OSSRH until further notice.
Due to the automated nature of many build processes that rely on direct access to Central, we know that removing these components may result in breaking builds. Additionally, due to the popularity of these components, and in light of the “left-pad gate” issue that npm faced in 2016, I can assure you that Sonatype has made every effort to navigate this matter in a manner that balances the respect for Elasticsearch’s IP claim, Sonatype’s duty to act as a responsible steward of Central, and our legal obligations under the DMCA.
You can see a full list of affected components that have been blocked in Central and OSSRH here.
Elasticsearch who states that it now includes free security features in its products, has published a blog entitled, “Dear Search Guard Users”, providing additional perspective. Floragunn’s response to the allegations made by Elasticsearch can be found here.
For those wishing to better understand the IP infringement issues surrounding this case, the court papers are available here. Also, in the event you have any questions or concerns about this matter, both Elasticsearch and Floragunn have made available the following e-mail addresses in their public communications to the Search Guard community:
Elasticsearch: search-guard@elastic.co
Floragunn: search-guard@floragunn.com
Written by Brian Fox
Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.
Explore All Posts by Brian Fox