Re: MongoDB license change and security support
On Wed, Nov 25, 2020 at 10:27:16AM +0100, Sylvain Beucler wrote:
> On 2018-10 MongoDB changed its license from AGPL to SSPL.
> In broad terms, the main change is requiring service providers to make
> available the source of not only MongoDB (like AGPL) but also of other parts
> of their service.
> The SSPL was generally considered incompatible with the DFSG:
> and the package was removed from unstable in 2020-02:
> so it's only available in stretch-lts (3.2) and jessie-elts (2.4) now.
> The development repository has multiple branches:
> - 3.4: stayed AGPL but EOL'd in early 2020,
> - 3.6 and later: all switched to SSPL in 2018-10
> This means that when backporting new upstream security fixes:
> - we're introducing DFSG-incompatible code in Debian main
> - we're violating MongoDB's license by combining incompatible licenses
> (something we may have overlooked in DLA-2344-1)
The functional part of the upstream patch which I integrated in that
update was quite small:
2 files changed, 7 insertions(+), 1 deletion(-)
That said, I can definitely see how that decision could be considered
> Moreover, the database engine code is complex, so patches cannot reasonably
> be rewritten by non-specialists.
This is very much correct. Additionally, since the versions in jessie
and stretch are EOL upstream and the more recent development branches
have diverged considerably from the older releases. Even assessing
whether a particular vulnerability is present or whether a given patch
addresses the vulnerability could prove quite challenging.
> They are also large enough to be covered by copyright.
This is likely to be the case for any significant patch.
> Consequently I believe we're not in a position to offer MongoDB security
> support in LTS nor ELTS, and we need to drop it from our supported packages.
One other thing to note is that MongoDB supplies upstream-produced
packages for all major distros for all supported versions of the MongoDB
server. I find it unlikely that many of the users with the "mongodb"
package installed from Debian sources are really using it in a way that
warrants the amount of effort that is likely to be required to continue
To be clear, my vote would be to drop support.
Roberto C. Sánchez