From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id mAptBAVqWGCvVwAA0tVLHw (envelope-from ) for ; Mon, 22 Mar 2021 09:57:25 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 2BU1AAVqWGBXEgAAB5/wlQ (envelope-from ) for ; Mon, 22 Mar 2021 09:57:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A6B27858B for ; Mon, 22 Mar 2021 10:57:24 +0100 (CET) Received: from localhost ([::1]:36842 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOHJL-0000QX-Pp for larch@yhetil.org; Mon, 22 Mar 2021 05:57:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51844) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOHJB-0000Of-UW for guix-devel@gnu.org; Mon, 22 Mar 2021 05:57:13 -0400 Received: from flashner.co.il ([178.62.234.194]:53746) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOHJ8-0003rr-Ac; Mon, 22 Mar 2021 05:57:13 -0400 Received: from localhost (unknown [31.210.181.184]) by flashner.co.il (Postfix) with ESMTPSA id C37B040332; Mon, 22 Mar 2021 09:56:35 +0000 (UTC) Date: Mon, 22 Mar 2021 11:55:59 +0200 From: Efraim Flashner To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: Why [bug#47081] Remove mongodb? Message-ID: References: <20210312005632.13690-1-lle-bout@zaclys.net> <86ft0twwg8.fsf@gmail.com> <87czvu839f.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="1kiQl9sxrDZhMq+y" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=178.62.234.194; envelope-from=efraim@flashner.co.il; helo=flashner.co.il X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616407044; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=hMPzhWdVr/VKp0+XFga5+3OnKXTgNxwa6DECz3L+TUc=; b=Wiu9BSNr2JK9Qpjj99LNdm5NbdNrNqO0BQmIpUTZ33LIg6NnO2EYGBmA1aGLy2OBXBAfq3 u6wq3/dVCZ6sr6o1Zz4T7DMHR1457b0QAWFrXXu+CwKi3K8kP8TzqssfMzigyD45LeZq5k w/xt6nGyOK4y4IMd+ND1gE8z2yKzRZJ4nIvZwr7aNkkrrxR0f2z2HZILCAHuwtMcLOPyoJ qjzsMFmzRtSxdoh5qTMC5QyQkNsrTnhblI7AjJUp+aYJARmIs2a2nzOD4ulJ2zTmk13sA3 dr7wQaBUYSlNb/qYdHMlRrrBSalpbOMsCKSFUuIn+8bKUfnxYBPeFppJhZ1J+Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616407044; a=rsa-sha256; cv=none; b=qkGABJwA1kNXEOrcxmSLR9h/DNQ0PayBgbufygGdj1q8phIW+mgzQ23yFy50o3lZhgaIE3 9N0ghkbXgJQzsMFIsHTALkQ4OZnzJvOn8+iacnlFWFCMUahfG4smEyqEfxJljqhcIShT+7 VAXJ4skh+DuVnRJ6KvfC8bYVqwjjRYAsM1+ng8met7x2aDKUjMbuEoNtRD9b1QSr1CvUSo c8WepZ2tA9picRS3dRJbuv5XKkO9kz5wIW9RFyqF7iQ5SvdkZEPVd16lRbiv49PZVj7LBa x+GFq7FUiFXT5tgnnt0q1NUiW9+wjrAdiJeuyL2thIBB6+3pjO9ocr1Q5460jA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.02 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: A6B27858B X-Spam-Score: -3.02 X-Migadu-Scanner: scn0.migadu.com X-TUID: 07bDgSeDO0Gl --1kiQl9sxrDZhMq+y Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 21, 2021 at 11:15:32PM +0100, L=C3=A9o Le Bouter wrote: > Hello! >=20 > > Removing a package and its services is not something to do lightly: > > it > > breaks user configs with no recourse. > >=20 > > We must insist on getting more opinions on such matters, and I think > > there just wasn=E2=80=99t enough feedback here. I understand it can be > > frustrating to wait for input, but in such a case, please do. This > > project has always strove for consensus. > >=20 > > Remember that the opinion of those who=E2=80=99ve been taking care of > > security > > issues in Guix for years, those who=E2=80=99ve been maintaining MongoDB, > > those > > who wrote the service and its tests, are invaluable; they must have a > > say. I insist: humbly solicit and wait for their feedback. > >=20 >=20 > I understand, and I did not think it was a light thing to do, no one > mentionned anything we should do for the remove, so I actually do not > know how we handle that but the security/non-free code thing put some > urge into the situation, apologizes for moving on and pushing without > waiting for more feedback, few people gave their feedback on IRC and by > email and that's why I felt more confident doing the actual change. >=20 > > Now, how do we move forward? IMO we must look for available options > > before we remove MongoDB. Are there forks of the original > > freely-licensed code base maintained around? That sounds likely. =20 >=20 > I never heard of any and after some searches even before I pushed the > remove commit it remained inconclusive on whether we can rely on a > fork. >=20 > > Are > > there backports of the security fixes?=20 >=20 > Ubuntu Focal maintains a package still but to me they still don't have > all the fixes, see: https://packages.ubuntu.com/focal/mongodb-server >=20 > All in all, I don't think we should keep a package in more-than- > maintenance mode when the upstream has decided to change the license, > they are uncooperative and making our work harder so I think we should > remove the package. It's not like we are an LTS distro like Ubuntu > Focal that absolutely must keep a package until the end of the support > cycle. It may break configs yes, but actually this had to happen, at > the same time they changed to a problematic nonfree license and openssl > 1.1.1 is not supported on 3.4.x (Ubuntu uses 3.6.8 instead which also > is under AGPL but more recent than our 3.4.10 we had so supports > openssl 1.1.1 with some patches they made). I'm not particularily > sympathetic to MongoDB. Also are there actually people using the > mongodb service on GNU Guix? >=20 > > What do the previous > > contributors to this code think=E2=80=94Chris, Efraim, Marius, Arun? >=20 > Chris voiced their opinion saying they didnt mind removing the package, > I think Efraim said that on IRC also but I am not sure, so let's wait > for their input here. >=20 > >=20 > > L=C3=A9o, please get involved in reaching consensus on a solution. >=20 > CC'd them, of course, again, sorry. >=20 > > Ludo=E2=80=99. >=20 > L=C3=A9o >=20 I don't have a strong opinion. I had hoped they'd return to a free license but that doesn't seem to be the case. I see it a bit more from a selfish angle, I'd rather drop packages like mongodb which are unsupported or effectively dead upstream AND I don't use to free up resources for other packages but I'd rather not take away a package that someone else is actually using. Given limited developer time, I would personally rather spend my own developer time porting gourmet (last release 2014) to python3 than porting mongodb to openssl-1.1. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --1kiQl9sxrDZhMq+y Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmBYaawACgkQQarn3Mo9 g1GZHQ/+JEYN//E/kTWdo1ud0KDTmtmrz3vNZDfbOBCuNbrDSNPs1fW7s25JViL2 UzOMtbcCgbE2jQG3y4XuZwSUEqmVGJFlBrIJU9SBzvU3SvRX4EDAVKz7w5l3Pkpt W6Ywul03wZ3rnsAzb62DTyszQJ44PMpAuiWgdS5uDb2EoT3CwITtKnRtPAtsB9Cj M9VRaMiPwv8tjGAqsVK1O3meaQ216RRNPiyX+neoI9AmHlEIo2R6fNMAJZl1Q/sU aNwq4gAnwWfpXVUlsjqMbcezFelzQLxbA4vQc7Ep6C+syiZkFVhU0A0umYANUTTo 1HpBNosuRXHhi1shal6ddLgv9kqVprLlo1HrRBGSWgdiF8FVrM51oYMzKDZ9gv4j 0PikrTS8DXeYx7UEsb3mvqyvYoOBqk75S+FZOJ4my8H6xwZVkJcVWaDrVAE9itGi nl1J5T79rI5ykmxumyDq5KTjcRbaOcH56NmIMh4hqKpxD8oDT6qYTKFJUB8PVlLg nwR1PCyHaKL13/+kxR4XWRDEici2v/1bc35wf65AaKMncLO4EFgnXUv+9vlMbV+Q 7GLCZvDFlZaoIpsaiosvS1NzSEI+qds6AFSqKXLEIxUzQEZOiF4jN5nj95IzypBt gfNmL1czKdQdHMNwRml1thX6TUZwrmZwf/A3EH0SoQnrxYq2k9w= =orrA -----END PGP SIGNATURE----- --1kiQl9sxrDZhMq+y--