From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 378aAsvFV2A1LwAA0tVLHw (envelope-from ) for ; Sun, 21 Mar 2021 22:16:43 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id CBPtOMrFV2AiIwAAB5/wlQ (envelope-from ) for ; Sun, 21 Mar 2021 22:16:42 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A037529842 for ; Sun, 21 Mar 2021 23:16:42 +0100 (CET) Received: from localhost ([::1]:47574 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lO6NF-0002g6-J4 for larch@yhetil.org; Sun, 21 Mar 2021 18:16:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51650) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lO6N6-0002fz-DR for guix-devel@gnu.org; Sun, 21 Mar 2021 18:16:32 -0400 Received: from mail.zaclys.net ([178.33.93.72]:36701) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lO6N3-0000UU-Oo; Sun, 21 Mar 2021 18:16:31 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12LMFZM7029566 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 21 Mar 2021 23:15:38 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12LMFZM7029566 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616364942; bh=7nu7paoMsPemSzkq4PktqMVQy36zXEU3Q8LCH59bKlA=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=Um9hg/uIm29MeSVgbtZRqGDbB5eUzNWLTR5HsSHP0X61VbdEC1egaZeCuEVhatRG5 SFH8fO+gakp8GBfiIs+Vn5PrbK2pvnTGKMPJ5kpWSKpL8sPaPgV5zTEde9JftefCrg yb4ym4uLAiIGOFcY8Jc/SY0PqUp0k4shNls7rj2o= Message-ID: Subject: Re: Why [bug#47081] Remove mongodb? From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Cc: zimoun , guix-devel@gnu.org, arunisaac@systemreboot.net, marius@gnu.org, efraim@flashner.co.il, mail@cbaines.net Date: Sun, 21 Mar 2021 23:15:32 +0100 In-Reply-To: <87czvu839f.fsf@gnu.org> References: <20210312005632.13690-1-lle-bout@zaclys.net> <86ft0twwg8.fsf@gmail.com> <87czvu839f.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-iN2bjC40NukD2X1j3NqQ" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616365002; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=7nu7paoMsPemSzkq4PktqMVQy36zXEU3Q8LCH59bKlA=; b=nXtW6rzVa4FgqtVL/LfmcT6dNvLkdOFssDijXXgyLQ/i8i+dCnKFwVOa+/Wi7QUxNkPfAo RD8d/Zm2lArCwitXsH9DKtahJaz9zq9xqlqCFGlLaLpfhZWxW0wXJlFefklLcD7GdhQ47p o3qLtJQT1TY3dd/EQKTmL50aT8ycyqZ8ltkZqgtpA4pkYn9nPA7hWW/RwU1c+S6u6VrVpR gO9gFTFjDtv1X2SSvUpaC3x36xA5y3ssNy4O9hkTVh2Mx4lM5EXlQwefAjIDBdEsSLyeGX 9mXnAGft/eeLz6Q8acrQIJ1cYYVEUZ+9ArN64Y94YqbKokrqDrbUGWuLwo27Lw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616365002; a=rsa-sha256; cv=none; b=ePLUqKBUsVZpznme+JipmLUL4LiJyKMUk9YYlukzLwlNcVb/ckLM5UAj9NLKbmfIGB7YQl YkWAu9fNLZZETdrxC3cHeHpW1r4JGsqjpnboaEb1ylUXcQW9tMHrUauutbxmauUd2SjueI UAQPFEFGbBs/C9NaVSfRMIXzH3OH+G7L1GphmJHTywigmoeX7ISu1aun+em82ErPUwNq4E hcKcNhrwILO3oitc0T6GzDAzKoDx6s+nmcAKJrtIDJuVWlfeR0BUFUhKKo42gyZzS+1E8H 7n/Yi5phaB02RZ/+64PSLofjcnOIW+qs+HM6RVK5jM5Gbgk2fBh8oXKlu8POEw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b="Um9hg/uI"; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.72 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b="Um9hg/uI"; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: A037529842 X-Spam-Score: -2.72 X-Migadu-Scanner: scn0.migadu.com X-TUID: DTfJvBb4Wb+A --=-iN2bjC40NukD2X1j3NqQ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! > Removing a package and its services is not something to do lightly: > it > breaks user configs with no recourse. >=20 > We must insist on getting more opinions on such matters, and I think > there just wasn=E2=80=99t enough feedback here. I understand it can be > frustrating to wait for input, but in such a case, please do. This > project has always strove for consensus. >=20 > Remember that the opinion of those who=E2=80=99ve been taking care of > security > issues in Guix for years, those who=E2=80=99ve been maintaining MongoDB, > those > who wrote the service and its tests, are invaluable; they must have a > say. I insist: humbly solicit and wait for their feedback. >=20 I understand, and I did not think it was a light thing to do, no one mentionned anything we should do for the remove, so I actually do not know how we handle that but the security/non-free code thing put some urge into the situation, apologizes for moving on and pushing without waiting for more feedback, few people gave their feedback on IRC and by email and that's why I felt more confident doing the actual change. > Now, how do we move forward? IMO we must look for available options > before we remove MongoDB. Are there forks of the original > freely-licensed code base maintained around? That sounds likely. =20 I never heard of any and after some searches even before I pushed the remove commit it remained inconclusive on whether we can rely on a fork. > Are > there backports of the security fixes?=20 Ubuntu Focal maintains a package still but to me they still don't have all the fixes, see: https://packages.ubuntu.com/focal/mongodb-server All in all, I don't think we should keep a package in more-than- maintenance mode when the upstream has decided to change the license, they are uncooperative and making our work harder so I think we should remove the package. It's not like we are an LTS distro like Ubuntu Focal that absolutely must keep a package until the end of the support cycle. It may break configs yes, but actually this had to happen, at the same time they changed to a problematic nonfree license and openssl 1.1.1 is not supported on 3.4.x (Ubuntu uses 3.6.8 instead which also is under AGPL but more recent than our 3.4.10 we had so supports openssl 1.1.1 with some patches they made). I'm not particularily sympathetic to MongoDB. Also are there actually people using the mongodb service on GNU Guix? > What do the previous > contributors to this code think=E2=80=94Chris, Efraim, Marius, Arun? Chris voiced their opinion saying they didnt mind removing the package, I think Efraim said that on IRC also but I am not sure, so let's wait for their input here. >=20 > L=C3=A9o, please get involved in reaching consensus on a solution. CC'd them, of course, again, sorry. > Ludo=E2=80=99. L=C3=A9o --=-iN2bjC40NukD2X1j3NqQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBXxYQACgkQRaix6GvN EKar0g/9Hwok2CJE1AizvYjKxiUsiI99JUwPbPzY/BOKBEy6G/v7OfW7Ui25Xj7l u+6zXod23c0OTVhdrWVvQvdLdTfh/kfv+NPpAugGmjVGCDSKR6qfGy46pg2I8jXj 0P8l2VOawi8NiyY7vlyujSey9AHxCV/b0wU2AH86kjgMdHI22YBtdZTSexvLfc7N CnGT3AzuGpcnDKX0OqD0JRhNKTyzYHu9PXGm7YphjgQ/5VBtk06zixVCxkxpaq5q cPAd0iQhEv++4K1qG4uVjy1OSmPjUzKrkor8J1OmJZcFnRmS0YSUbQuyxGqHcMyI wGF6IhS0NNW0Z0kU/jwyd3BgXOR5O3chz8zIA6TCjQSBPXKArnmSwcNlzORgs6pn fWFH6Gf4vV1fh8ff2RfNHw8B80f31fXu9UxC3XggL6Adhn6CpRbIEVzkycbDXxQD QdUt9xQ6EtvcaI+TBg224f8KcfhlFsuMLIj5Akx0pY7XsOAzteFTDPNkiXCSuSfe OwvngGdZx24Q3jbCXMpczWz1NG6pw3yWLzid7St/zNRc5ermffJkhwGvxVypCM2O nFV2MqRHj6C7sHB/rbMAlsdCXSHyRXgVsYaq5GdTXuzb+N4XH+ClPOgb6RrezsBR QHGWwgv2PwtmQ/7cbpuwn9wO9LSONxln60Z83I0ukk5fzPKSckA= =mWYS -----END PGP SIGNATURE----- --=-iN2bjC40NukD2X1j3NqQ--