As a consequence of MongoDB switching to Server Side Public License 1.0, Debian decided that [[ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537#15 | they won't be allowing it in their main repo ]]. It also means that they [[ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916107 | might not be able to provide security fixes ]] for older, DFSG-compatible versions. Currently, we're using MongoDB in 2 places:
* EventLogging
* xhgui
We don't have to do anything right now, but in the long term, we have several options:
* Hope that SSPL 2.0 will be a free software license.
* Use SSPL licensed packages from the vendor. This would require legal approval (and this license is even more restrictive than AGPL which we discussed in wikitech-l and general opinion was that it's not very good for us).
* Use old packages until they're out of support. Then maybe someone comes up with a viable fork.
* Stop using MongoDB.
-------
* debian.org discussion: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537>
* opensource.org license review of SSPL 1.0: <https://lists.opensource.org/pipermail/license-review_lists.opensource.org/2018-October/thread.html#3654>
* review o SSPL 2.0: <https://lists.opensource.org/pipermail/license-review_lists.opensource.org/2018-November/date.html#3836>, <https://lists.opensource.org/pipermail/license-review_lists.opensource.org/2018-December/date.html#start>