From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id AMDfFMhGUmBDZQAA0tVLHw (envelope-from ) for ; Wed, 17 Mar 2021 18:13:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id SPfXEMhGUmBJMgAAbx9fmQ (envelope-from ) for ; Wed, 17 Mar 2021 18:13:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E7621200AF for ; Wed, 17 Mar 2021 19:13:27 +0100 (CET) Received: from localhost ([::1]:58080 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMafe-0001uv-Ra for larch@yhetil.org; Wed, 17 Mar 2021 14:13:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59420) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMaa3-0006HL-V3 for guix-devel@gnu.org; Wed, 17 Mar 2021 14:07:40 -0400 Received: from mail-wr1-x432.google.com ([2a00:1450:4864:20::432]:37513) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMaZy-0007Eb-1y for guix-devel@gnu.org; Wed, 17 Mar 2021 14:07:39 -0400 Received: by mail-wr1-x432.google.com with SMTP id x16so2799853wrn.4 for ; Wed, 17 Mar 2021 11:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-transfer-encoding; bh=8BUOUAS9RALrnFUrS0WujDGuI9f85MgHmDU5ypuWczk=; b=O3q+OUF7TsPbvpxgfwEeTpnvyH7MaYbPiLZz5q1fGRsKeevNqGrcevio/TTGm9P4sV xDR3aqCGcukXxaDENs3tKIerAMuD+ZQVdszQiZsMz/3x19c71ibiKqq237bXRNjHy6Dx NQYEThkcknT1Ntznjj4iItu0ySQ5tbvHqBjPLVcPysS7JdNwQOTvH9Mt4NoNHO6s6ZPY A3OIk0Zbi0cj5rPl05hsCg3Mn15YG+UpHiRBQ45MncpVxR7e/h5HpiTIGHvnBhAuSugH jN9FqetFzsqRyBTlc5Q6VFVbAfu70/Ta6FjV7K/V8QbbERaDbBYITvVCpMNIJCZ/GQxi ansg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=8BUOUAS9RALrnFUrS0WujDGuI9f85MgHmDU5ypuWczk=; b=k7Tq98eIngx6vzIcPTwwKTuFS7uiZwSZPDvy8Simq23tPA5VDH2cAORJ/VcdbKc/20 c6UYmnnZ6IUSboHywAw8RvacpprlEXGEZsWO6FCcSyCA6LgvBZv5ORiH6oRGoPWnTkxS yKrA9+hLtoy7HFAXJhrvHbB7XqGaGPVkFiGTD5ca4reJW3zvwEqYgfJkReeBFETlqNok enF6OU5h8CVnDUE4+cOWqpTWg4I1V+X+6HKKjwjqy6fQnhj5bdWdW8Apo3qguswR0IO+ eecHU8IliD9Kb50Y1xL+4FarUTIcLpTrEo/v1+ztpNwaz7G6/o/a0XemF1v8QunxHcNg WUtw== X-Gm-Message-State: AOAM531dzaMZNY8Wnytwe527/Vj8ghWbrRXgjVkzTR2W5ByVRRlfbwuf e+n7SoD1d6SWyh3cA08XhyzRqYetngo= X-Google-Smtp-Source: ABdhPJyiXhwjq3fEScx80aeIsE0IhnwHKRELWBf0dIvXTtK1TrTN5xBEweQSuozxl+2EO3wIP+3WhA== X-Received: by 2002:a5d:640b:: with SMTP id z11mr5472766wru.327.1616004451880; Wed, 17 Mar 2021 11:07:31 -0700 (PDT) Received: from lili ([88.126.110.68]) by smtp.gmail.com with ESMTPSA id l4sm25962872wrt.60.2021.03.17.11.07.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Mar 2021 11:07:31 -0700 (PDT) From: zimoun To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: Why [bug#47081] Remove mongodb? In-Reply-To: References: <20210312005632.13690-1-lle-bout@zaclys.net> <86ft0twwg8.fsf@gmail.com> Date: Wed, 17 Mar 2021 18:56:32 +0100 Message-ID: <86a6r1wtnz.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::432; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x432.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616004808; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=8BUOUAS9RALrnFUrS0WujDGuI9f85MgHmDU5ypuWczk=; b=ENrx8iHSgVGBQOeQ45dreMRqhO+G3RN+jLw1DqyJI8QpP6+lq9vno9qWt+l0YSYfvm3jpa VmwBKIEJOQDS2HYxGnVGzZtSC+5BwD6c0w4n+FsY0wcxfYnsr0LbFE4mNZFapFQzm8cfXz LqlUbdY6fG2goh8TwMj1AucU05cbMU5B87ThQkTgqnRQk6ytomhWgkaFX6lpnw5d1E38N/ JA89LiBoVEgo7XIjbTzIjBrRPtpQaZsh2+oFLfp62SJtCJPWv7stEbg0OmoUqxUP+CBj9M gBPgsaM6XX9rm+JNG6T7V4ZB+QZeXzGuC/i46N2buoDLxzlbCz/W1o14b5+ebQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616004808; a=rsa-sha256; cv=none; b=dlc4WJdN0Wn9EqIvSDRKvhcpHSRUW1w5KlDMDYf9EuyyqCHSEkyDia1TafvlqFG4LjPUzx U5TJqeh+NqUda6+YKGkdySV0PmEbzm2vbplC0fNrFl1byt2papIE8uLbs0ZfoVHNsPwZBY 3ri3rqyJEkahvdCywn4sOptH0yQRa32NUOuotNGCLbfxRUxBA/cRGgevuikmbaX+A51UFX QMXiOH/zpsRKlAbf89OGcdkSeHjct2NuqK5ASzers0NfoQBA6c8B/1zhFOphNs/QHuBvc+ i781pmFvnHhniCtoI4mGPuBit2SWOuaO3Ab+l1U+idykV3doTk3xDtHd505YVQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=O3q+OUF7; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.10 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=O3q+OUF7; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E7621200AF X-Spam-Score: -2.10 X-Migadu-Scanner: scn0.migadu.com X-TUID: hBeVxfKbOn5k On Wed, 17 Mar 2021 at 18:09, L=C3=A9o Le Bouter wrot= e: > On Wed, 2021-03-17 at 17:56 +0100, zimoun wrote: >> If the removal for security reasons had been discussed on IRC, it >> could >> be nice to point the discussion here. Otherwise, open a discussion >> on >> the topic on guix-devel or bug-guix. The full removal is a radical >> solution (especially, it should be done with 2 commits: service+doc >> and >> then package; well another story). > > https://issues.guix.gnu.org/47081 - some of it there:=20 > https://logs.guix.gnu.org/guix/2021-03-12.log#001752 > > Efraim, Cbaines, Lfam was involved there and shown no big objections Thanks. >> Well, you updated mongodb from 3.4.10 to 3.4.24 on the March 10th, >> submitted a patch series for the removal on the March 12th and pushed >> on >> the March 16th. In the meantime, the update has been reverted on the >> March 11th because of license issue, IIUC. >>=20 > > The security update was reverted, then the revert was reverted due to > debate on licensing which turns out reverting the revert was actually > wrong because some specific files were under SSPL, at that point we > were shipping SSPL code which is nonfree, so the removal is also that. AFAIT, 3.4.10 is released under GNU AGPL 3.0 and Apache 2.0. This version had been released before the October 16th, 2018. Could you point which code is non-free? IMHO, this claim about non-free code is wrong. The last versions with an acceptable license seem 4.0.3 or 4.1.4, I guess. I am not against removing MongoBD. I am just saying that the removal deserves at least a message on guix-devel and maybe a --news entry. Other said, it deserves more than 6 days between the =E2=80=9Coh there is security vulnerabilities=E2=80=9D and the full removal. When one uses a ve= rsion from 2017 as 3.4.10 is, one knows that it can have security vulnerabilities. I am not complaining about the commit itself, but I am complaining by the way of doing the thing. All the best, simon