NewsBits: Fresh Elasticsearch and a Redis ruckusPublished
Welcome to NewsBits where you'll find the database and developer news from around the net for the week ending August 24th.
- Elasticsearch 6.4 now has an alias (type) and much more.
- There was a bit of controversy around Redis and licensing.
- FoundationDB is having a summit.
- Microsoft Research's key/value store FASTER open sourced
- The older MongoDB 3.6 gets an update with 3.6.7
- Update now if you have Struts in your web application.
- Go 1.11 gets a second release candidate.
- And finally, Pong, the hard way.
Here's those bits in full...
Elastic has announced the release of Elasticsearch 6.4 as part of the Elastic Stack 6.4 release. Since Elastic are now shipping their proprietary X-Pack with Elasticsearch, it's somewhat harder to determine whats new in the open source version of Elasticsearch 6.4. For example, the new Kerberos authentication and FIPS 140-2 mode appear to be part of the X-Pack security functionality and not in to open source version.
That said, there's plenty to look at in the new release. The ability to reload secure settings on the fly for plugins is useful. Plugins are now going to be signature verified at installation too. In the database itself, there's a new alias type which lets you add names for fields without reindexing, a new super-fast Korean analyzer "Nori", new indexing options for two word phrases and the ability to run tokens through multiple filters at the same time. There's also weighted average aggregation for pipelines and Expected Reciprocal Ranking for rank evaluation.
The Java High-Level REST client is also much improved with literally dozens of features of the Elasticsearch API now supported. There's also new documentation for Painless to reflect the different contexts the scripting language is used in. Full details are in the release notes.
Redis and the Commons Clause
This week, confusion abounded around Redis when RedisLabs announced it was applying the not-open-source Commons Clause to their open source products. The commons clause is an additional clause that vendors are adding to existing open source licenses which prohibits any making of money (via hosting or consulting) linked to the product. This, of course, makes it not open source by the OSI's definition.
The initial posting RedisLabs made implied Redis was included in this list of products by using it as a prominent example and mentioning none of RedisLabs products. In fact, RedisLabs doesn't own Redis and Salvatore Sanfillipo clarified his position on Twitter. RedisLabs also removed the original posting and put a new post up explicitly noting Redis will remain BSD licensed and that the Commons Clause only applies to their Redis add-on modules.
The Commons Clause is likely to become a bone of contention with companies adopting it for their entire product, for example Dgraph, while using the Apache name.
FoundationDB, the database that came back, is slowly gathering interest. Brief history, FoundationDB was an up and coming startup that was bought by Apple and the product disappeared from the market. It returned in April this year as an open source database from Apple. FoundationDB is really the core of a database, the distributed key/value store. An interesting read around FoundationDB is High contention allocator which looks at the allocation of keys (or directories of keys) in FoundationDB. Fast forward to December 10th this year when the first FoundationDB Summit will be happening as part of Kubecom/CloudNativeCon in Seattle.
Microsoft Research has had a team working on FASTER, since 2017. The Faster key/value store is built around a cache-optimized hash index and a self-tuning data organizer that sets out to handle problems that exceed the limits of in-memory stores, like not enough memory. Now, Microsoft Research has open sourced (MIT license) two implementations of FASTER, in C# and C++, and put them up on Github.
Version 3.6.7 of MongoDB quietly turned up on the MongoDB downloads server this week. The highlighted changes are predominantly fixes, and are part of a more extensive changelog. The notable feature is a switch to batch inserting when migrating chunks between servers which should speed up sharded clusters.
Got Struts? Get fixing. There's a remote code execution vulnerability in Struts and, given that Struts vulnerabilities were what got exploited in the Equifax debacle, you don't want to be another Equifax. If you run Apache Struts 2.3.34 or earlier or Struts 2.5.16 or earlier, then CVE-2018-11776 is important and you should be upgrading to Struts 2.3.35 or 2.5.17. If you want to dig in on how the flaws were found, read How to find 5 RCEs in Apache Struts with Semmle QL.
The next Go release is closer with Go 1.11RC2 being released and just three release blockers showing against it (and one of those is "write the blog post").
Remember the Pong games of the 70s you could plug into your TV and enjoy "Tennis"? Grant Searle does and since 2013 has been taking on the challenge of recreating those games. For such a simple game, you'll be amazed at the challenge that making it using a fairly modern micro-controller poses.
NewsBits. News in bits, every Friday at Compose.