From: zimoun <zimon.toutoune@gmail.com>
To: "Léo Le Bouter" <lle-bout@zaclys.net>
Cc: guix-devel@gnu.org
Subject: Re: Why [bug#47081] Remove mongodb?
Date: Wed, 17 Mar 2021 18:56:32 +0100 [thread overview]
Message-ID: <86a6r1wtnz.fsf@gmail.com> (raw)
In-Reply-To: <f3e04a7a1bad585026e5938e1d36351c43db7486.camel@zaclys.net>
On Wed, 17 Mar 2021 at 18:09, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote:
>> If the removal for security reasons had been discussed on IRC, it
>> could
>> be nice to point the discussion here. Otherwise, open a discussion
>> on
>> the topic on guix-devel or bug-guix. The full removal is a radical
>> solution (especially, it should be done with 2 commits: service+doc
>> and
>> then package; well another story).
>
> https://issues.guix.gnu.org/47081 - some of it there:
> https://logs.guix.gnu.org/guix/2021-03-12.log#001752
>
> Efraim, Cbaines, Lfam was involved there and shown no big objections
Thanks.
>> Well, you updated mongodb from 3.4.10 to 3.4.24 on the March 10th,
>> submitted a patch series for the removal on the March 12th and pushed
>> on
>> the March 16th. In the meantime, the update has been reverted on the
>> March 11th because of license issue, IIUC.
>>
>
> The security update was reverted, then the revert was reverted due to
> debate on licensing which turns out reverting the revert was actually
> wrong because some specific files were under SSPL, at that point we
> were shipping SSPL code which is nonfree, so the removal is also that.
AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0. This
version had been released before the October 16th, 2018. Could you
point which code is non-free?
IMHO, this claim about non-free code is wrong. The last versions with
an acceptable license seem 4.0.3 or 4.1.4, I guess.
I am not against removing MongoBD. I am just saying that the removal
deserves at least a message on guix-devel and maybe a --news entry.
Other said, it deserves more than 6 days between the “oh there is
security vulnerabilities” and the full removal. When one uses a version
from 2017 as 3.4.10 is, one knows that it can have security
vulnerabilities.
I am not complaining about the commit itself, but I am complaining by
the way of doing the thing.
All the best,
simon
next prev parent reply other threads:[~2021-03-17 18:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210312005632.13690-1-lle-bout@zaclys.net>
2021-03-17 16:56 ` Why [bug#47081] Remove mongodb? zimoun
2021-03-17 17:09 ` Léo Le Bouter
2021-03-17 17:56 ` zimoun [this message]
2021-03-17 18:16 ` Léo Le Bouter
2021-03-17 18:51 ` zimoun
2021-03-17 19:05 ` Léo Le Bouter
2021-03-17 19:11 ` Léo Le Bouter
2021-03-17 21:24 ` zimoun
2021-03-20 11:37 ` Ludovic Courtès
2021-03-21 22:15 ` Léo Le Bouter
2021-03-22 9:55 ` Efraim Flashner
2021-03-22 16:14 ` Ludovic Courtès
2021-03-22 16:45 ` Jack Hill
2021-03-17 17:20 ` Léo Le Bouter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86a6r1wtnz.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=guix-devel@gnu.org \
--cc=lle-bout@zaclys.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).