Re: Why [bug#47081] Remove mongodb?

["Léo Le Bouter" <lle-bout@zaclys.net>]

[-- Attachment #1: Type: text/plain, Size: 2860 bytes --]

Hello!

> Removing a package and its services is not something to do lightly:
> it
> breaks user configs with no recourse.
> 
> We must insist on getting more opinions on such matters, and I think
> there just wasn’t enough feedback here.  I understand it can be
> frustrating to wait for input, but in such a case, please do.  This
> project has always strove for consensus.
> 
> Remember that the opinion of those who’ve been taking care of
> security
> issues in Guix for years, those who’ve been maintaining MongoDB,
> those
> who wrote the service and its tests, are invaluable; they must have a
> say.  I insist: humbly solicit and wait for their feedback.
> 

I understand, and I did not think it was a light thing to do, no one
mentionned anything we should do for the remove, so I actually do not
know how we handle that but the security/non-free code thing put some
urge into the situation, apologizes for moving on and pushing without
waiting for more feedback, few people gave their feedback on IRC and by
email and that's why I felt more confident doing the actual change.

> Now, how do we move forward?  IMO we must look for available options
> before we remove MongoDB.  Are there forks of the original
> freely-licensed code base maintained around?  That sounds likely.  

I never heard of any and after some searches even before I pushed the
remove commit it remained inconclusive on whether we can rely on a
fork.

> Are
> there backports of the security fixes? 

Ubuntu Focal maintains a package still but to me they still don't have
all the fixes, see: https://packages.ubuntu.com/focal/mongodb-server

All in all, I don't think we should keep a package in more-than-
maintenance mode when the upstream has decided to change the license,
they are uncooperative and making our work harder so I think we should
remove the package. It's not like we are an LTS distro like Ubuntu
Focal that absolutely must keep a package until the end of the support
cycle. It may break configs yes, but actually this had to happen, at
the same time they changed to a problematic nonfree license and openssl
1.1.1 is not supported on 3.4.x (Ubuntu uses 3.6.8 instead which also
is under AGPL but more recent than our 3.4.10 we had so supports
openssl 1.1.1 with some patches they made). I'm not particularily
sympathetic to MongoDB. Also are there actually people using the
mongodb service on GNU Guix?

> What do the previous
> contributors to this code think—Chris, Efraim, Marius, Arun?

Chris voiced their opinion saying they didnt mind removing the package,
I think Efraim said that on IRC also but I am not sure, so let's wait
for their input here.

> 
> Léo, please get involved in reaching consensus on a solution.

CC'd them, of course, again, sorry.

> Ludo’.

Léo



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]