On Sun, Mar 21, 2021 at 11:15:32PM +0100, Léo Le Bouter wrote: > Hello! > > > Removing a package and its services is not something to do lightly: > > it > > breaks user configs with no recourse. > > > > We must insist on getting more opinions on such matters, and I think > > there just wasn’t enough feedback here. I understand it can be > > frustrating to wait for input, but in such a case, please do. This > > project has always strove for consensus. > > > > Remember that the opinion of those who’ve been taking care of > > security > > issues in Guix for years, those who’ve been maintaining MongoDB, > > those > > who wrote the service and its tests, are invaluable; they must have a > > say. I insist: humbly solicit and wait for their feedback. > > > > I understand, and I did not think it was a light thing to do, no one > mentionned anything we should do for the remove, so I actually do not > know how we handle that but the security/non-free code thing put some > urge into the situation, apologizes for moving on and pushing without > waiting for more feedback, few people gave their feedback on IRC and by > email and that's why I felt more confident doing the actual change. > > > Now, how do we move forward? IMO we must look for available options > > before we remove MongoDB. Are there forks of the original > > freely-licensed code base maintained around? That sounds likely. > > I never heard of any and after some searches even before I pushed the > remove commit it remained inconclusive on whether we can rely on a > fork. > > > Are > > there backports of the security fixes? > > Ubuntu Focal maintains a package still but to me they still don't have > all the fixes, see: https://packages.ubuntu.com/focal/mongodb-server > > All in all, I don't think we should keep a package in more-than- > maintenance mode when the upstream has decided to change the license, > they are uncooperative and making our work harder so I think we should > remove the package. It's not like we are an LTS distro like Ubuntu > Focal that absolutely must keep a package until the end of the support > cycle. It may break configs yes, but actually this had to happen, at > the same time they changed to a problematic nonfree license and openssl > 1.1.1 is not supported on 3.4.x (Ubuntu uses 3.6.8 instead which also > is under AGPL but more recent than our 3.4.10 we had so supports > openssl 1.1.1 with some patches they made). I'm not particularily > sympathetic to MongoDB. Also are there actually people using the > mongodb service on GNU Guix? > > > What do the previous > > contributors to this code think—Chris, Efraim, Marius, Arun? > > Chris voiced their opinion saying they didnt mind removing the package, > I think Efraim said that on IRC also but I am not sure, so let's wait > for their input here. > > > > > Léo, please get involved in reaching consensus on a solution. > > CC'd them, of course, again, sorry. > > > Ludo’. > > Léo > I don't have a strong opinion. I had hoped they'd return to a free license but that doesn't seem to be the case. I see it a bit more from a selfish angle, I'd rather drop packages like mongodb which are unsupported or effectively dead upstream AND I don't use to free up resources for other packages but I'd rather not take away a package that someone else is actually using. Given limited developer time, I would personally rather spend my own developer time porting gourmet (last release 2014) to python3 than porting mongodb to openssl-1.1. -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted