[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

MongoDB license change and security support


On 2018-10 MongoDB changed its license from AGPL to SSPL.

In broad terms, the main change is requiring service providers to make available the source of not only MongoDB (like AGPL) but also of other parts of their service.

The SSPL was generally considered incompatible with the DFSG:
and the package was removed from unstable in 2020-02:
so it's only available in stretch-lts (3.2) and jessie-elts (2.4) now.

The development repository has multiple branches:
- 3.4: stayed AGPL but EOL'd in early 2020,
- 3.6 and later: all switched to SSPL in 2018-10

This means that when backporting new upstream security fixes:
- we're introducing DFSG-incompatible code in Debian main
- we're violating MongoDB's license by combining incompatible licenses

(something we may have overlooked in DLA-2344-1)

Moreover, the database engine code is complex, so patches cannot reasonably be rewritten by non-specialists. They are also large enough to be covered by copyright.

Consequently I believe we're not in a position to offer MongoDB security support in LTS nor ELTS, and we need to drop it from our supported packages.

What do you think?


Reply to: