Removing Search Guard from the Central Repository - Security Boulevard

Removing Search Guard from the Central Repository

We at Sonatype take our responsibility as stewards of the Central Repository (Central) very seriously, and for well over a decade we have been dedicated to the ideal of immutability when it comes to serving components to the community that relies on Central.  As the stewards of Central, it has long been our position that we would only consider removing components from the repository in the event of IP infringement or the presence of clearly malicious code. 

Unfortunately today, due to an intellectual property dispute between two third parties, we find ourselves in a position where we are required to remove the disputed artifacts from Central.  

Let me explain.  Late last week, Sonatype received a Digital Millennium Copyright Act (DMCA) Takedown Notice from legal representatives of Elasticsearch, Inc. requesting that we remove the disputed components tied to Search Guard from Central.  GitHub, where the Search Guard components were also available, received a similar notice.

Elasticsearch alleges that a German company, floragunn GmbH, has infringed on Elasticsearch’s intellectual property by directly copying source code from proprietary security features into the Search Guard plugin and making it available for download via Central and OSSRH (OSS Repository Hosting).  Having reviewed the allegations with outside counsel, we have come to the conclusion that we are legally obligated to remove and disable access to the allegedly infringing floragunn content in order to comply with the DMCA.  So, as of this morning, the components – containing what Elasticsearch alleges to be its proprietary source code – will be blocked from Central and OSSRH until further notice. 

Due to the automated nature of many build processes that rely on direct access to Central, we know that removing these components may result in breaking builds.  Additionally, due to the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: