MongoDB license change and security support
On 2018-10 MongoDB changed its license from AGPL to SSPL.
In broad terms, the main change is requiring service providers to make
available the source of not only MongoDB (like AGPL) but also of other
parts of their service.
The SSPL was generally considered incompatible with the DFSG:
and the package was removed from unstable in 2020-02:
so it's only available in stretch-lts (3.2) and jessie-elts (2.4) now.
The development repository has multiple branches:
- 3.4: stayed AGPL but EOL'd in early 2020,
- 3.6 and later: all switched to SSPL in 2018-10
This means that when backporting new upstream security fixes:
- we're introducing DFSG-incompatible code in Debian main
- we're violating MongoDB's license by combining incompatible licenses
(something we may have overlooked in DLA-2344-1)
Moreover, the database engine code is complex, so patches cannot
reasonably be rewritten by non-specialists. They are also large enough
to be covered by copyright.
Consequently I believe we're not in a position to offer MongoDB security
support in LTS nor ELTS, and we need to drop it from our supported packages.
What do you think?