Re: Why [bug#47081] Remove mongodb?

[zimoun]

On Wed, 17 Mar 2021 at 18:09, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote:
>> If the removal for security reasons had been discussed on IRC, it
>> could
>> be nice to point the discussion here.  Otherwise, open a discussion
>> on
>> the topic on guix-devel or bug-guix.  The full removal is a radical
>> solution (especially, it should be done with 2 commits: service+doc
>> and
>> then package; well another story).
>
> https://issues.guix.gnu.org/47081 - some of it there: 
> https://logs.guix.gnu.org/guix/2021-03-12.log#001752
>
> Efraim, Cbaines, Lfam was involved there and shown no big objections

Thanks.


>> Well, you updated mongodb from 3.4.10 to 3.4.24 on the March 10th,
>> submitted a patch series for the removal on the March 12th and pushed
>> on
>> the March 16th.  In the meantime, the update has been reverted on the
>> March 11th because of license issue, IIUC.
>> 
>
> The security update was reverted, then the revert was reverted due to
> debate on licensing which turns out reverting the revert was actually
> wrong because some specific files were under SSPL, at that point we
> were shipping SSPL code which is nonfree, so the removal is also that.

AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0.  This
version had been released before the October 16th, 2018.  Could you
point which code is non-free?

IMHO, this claim about non-free code is wrong.  The last versions with
an acceptable license seem 4.0.3 or 4.1.4, I guess.

I am not against removing MongoBD.  I am just saying that the removal
deserves at least a message on guix-devel and maybe a --news entry.

Other said, it deserves more than 6 days between the “oh there is
security vulnerabilities” and the full removal.  When one uses a version
from 2017 as 3.4.10 is, one knows that it can have security
vulnerabilities.

I am not complaining about the commit itself, but I am complaining by
the way of doing the thing.


All the best,
simon