Re: Why [bug#47081] Remove mongodb?

[Efraim Flashner]

On Sun, Mar 21, 2021 at 11:15:32PM +0100, Léo Le Bouter wrote:
> Hello!
> 
> > Removing a package and its services is not something to do lightly:
> > it
> > breaks user configs with no recourse.
> > 
> > We must insist on getting more opinions on such matters, and I think
> > there just wasn’t enough feedback here.  I understand it can be
> > frustrating to wait for input, but in such a case, please do.  This
> > project has always strove for consensus.
> > 
> > Remember that the opinion of those who’ve been taking care of
> > security
> > issues in Guix for years, those who’ve been maintaining MongoDB,
> > those
> > who wrote the service and its tests, are invaluable; they must have a
> > say.  I insist: humbly solicit and wait for their feedback.
> > 
> 
> I understand, and I did not think it was a light thing to do, no one
> mentionned anything we should do for the remove, so I actually do not
> know how we handle that but the security/non-free code thing put some
> urge into the situation, apologizes for moving on and pushing without
> waiting for more feedback, few people gave their feedback on IRC and by
> email and that's why I felt more confident doing the actual change.
> 
> > Now, how do we move forward?  IMO we must look for available options
> > before we remove MongoDB.  Are there forks of the original
> > freely-licensed code base maintained around?  That sounds likely.  
> 
> I never heard of any and after some searches even before I pushed the
> remove commit it remained inconclusive on whether we can rely on a
> fork.
> 
> > Are
> > there backports of the security fixes? 
> 
> Ubuntu Focal maintains a package still but to me they still don't have
> all the fixes, see: https://packages.ubuntu.com/focal/mongodb-server
> 
> All in all, I don't think we should keep a package in more-than-
> maintenance mode when the upstream has decided to change the license,
> they are uncooperative and making our work harder so I think we should
> remove the package. It's not like we are an LTS distro like Ubuntu
> Focal that absolutely must keep a package until the end of the support
> cycle. It may break configs yes, but actually this had to happen, at
> the same time they changed to a problematic nonfree license and openssl
> 1.1.1 is not supported on 3.4.x (Ubuntu uses 3.6.8 instead which also
> is under AGPL but more recent than our 3.4.10 we had so supports
> openssl 1.1.1 with some patches they made). I'm not particularily
> sympathetic to MongoDB. Also are there actually people using the
> mongodb service on GNU Guix?
> 
> > What do the previous
> > contributors to this code think—Chris, Efraim, Marius, Arun?
> 
> Chris voiced their opinion saying they didnt mind removing the package,
> I think Efraim said that on IRC also but I am not sure, so let's wait
> for their input here.
> 
> > 
> > Léo, please get involved in reaching consensus on a solution.
> 
> CC'd them, of course, again, sorry.
> 
> > Ludo’.
> 
> Léo
> 

I don't have a strong opinion. I had hoped they'd return to a free
license but that doesn't seem to be the case. I see it a bit more from a
selfish angle, I'd rather drop packages like mongodb which are
unsupported or effectively dead upstream AND I don't use to free up
resources for other packages but I'd rather not take away a package that
someone else is actually using.

Given limited developer time, I would personally rather spend my own
developer time porting gourmet (last release 2014) to python3 than
porting mongodb to openssl-1.1.



-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

signature.asc
Description: PGP signature