Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-66229

Security (CVE) patches are not AGPL licensed

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • ALL

    Description

      As per the License FAQ patches to MongoDB server are now licensed under the SSPL.

      In general, Linux distributions have not been able to adopt these more recent releases of mongodb due to this license change. As such, these distributions still ship and try to maintain the older AGPL licensed mongodb release. However, given that this older release is no longer maintained it is now affected by numerous security vulnerabilities which cannot be patched in these distributions due to the aforementioned license change.

      Would it be possible for MongoDB to dual-license just the specific CVE/security bug patches as AGPL to allow these distributions to incorporate those security fixes within their mongodb packages and hence provide this fundamental security support to their users?

      Attachments

        Activity

          People

            kelsey.schubert@mongodb.com Kelsey Schubert
            alex.murray@canonical.com Alex Murray
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: