Page MenuHomePhabricator

New MongoDB version is not DFSG-compatible, dropped by Debian
Closed, ResolvedPublic


As a consequence of MongoDB switching to Server Side Public License 1.0, Debian decided that they won't be allowing it in their main repo. It also means that they might not be able to provide security fixes for older, DFSG-compatible versions. Currently, we're using MongoDB in 2 places:

  • EventLogging
  • xhgui

We don't have to do anything right now, but in the long term, we have several options:

  • Hope that SSPL 2.0 will be a free software license.
  • Use SSPL licensed packages from the vendor. This would require legal approval (and this license is even more restrictive than AGPL which we discussed in wikitech-l and general opinion was that it's not very good for us).
  • Use old packages until they're out of support. Then maybe someone comes up with a viable fork.
  • Stop using MongoDB.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

SSPL v2 is not substantially different, and IMO the perspective on the OSI's license-review wasn't very different from v1. I think it would be valuable to at least start planning on how to get rid of our MongoDB dependencies...

XHGui is scheduled to be migrated from tungsten (Jessie; Mongo 2.4.10) to webperf1002 (Stretch). deployment-webperf12 in Beta currently has this partly provisioned already and via there I confirmed that our Stretch repo provides Mongo 3.2.11.

Ref T180761.

CDanis triaged this task as Medium priority.Jan 17 2019, 4:51 PM

We do not use MongoDB in EventLogging production. Thanks for the heads up. Removing EventLogging and Analytics.

mforns added a project: Analytics.

@mforns, so you don't need python-pymongo installed in eventlogging::dependencies?

nope! def not. must be some super legacy thang.

Change 485080 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/puppet@production] Remove unused python-pymongo from eventlogging::dependencies

Change 485080 merged by Ottomata:
[operations/puppet@production] Remove unused python-pymongo from eventlogging::dependencies

Krinkle updated the task description. (Show Details)

Meanwhile, over on the OSI license-review mailing list (March 2019 summary):

Eliot Horowitz announces that MongoDB retracts the SSPL from the OSI
approval process, citing a lack of community support as a reason.

Given we haven't heard any announcement from MongoDB to suggest a reconsideration of their license, this presumably means that for the foreseeable future MongoDB will stick with their new license, and continue without Debian support or OSI approval. I suppose it was worth a shot :)

From the XHGui side, a refactor has landed that decouples it from the MongoDB backend, adding PHP-PDO support through which many different backends can be plugged in.

This refactor has landed in upstream master (though not yet released). Let's assume for now that this will provide an upgrade path by the time Debian Stretch goes EOL in 2020.

Krinkle claimed this task.

Closing for now as migration from MongoDB isn't in scope for this task and not something we need to do short-term.