[SERVER-66229] Security (CVE) patches are not AGPL licensed Created: 05/May/22 Updated: 14/Jun/22 Resolved: 13/Jun/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Alex Murray | Assignee: | Kelsey Schubert |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: |
| Description |
|
As per the License FAQ patches to MongoDB server are now licensed under the SSPL. In general, Linux distributions have not been able to adopt these more recent releases of mongodb due to this license change. As such, these distributions still ship and try to maintain the older AGPL licensed mongodb release. However, given that this older release is no longer maintained it is now affected by numerous security vulnerabilities which cannot be patched in these distributions due to the aforementioned license change. Would it be possible for MongoDB to dual-license just the specific CVE/security bug patches as AGPL to allow these distributions to incorporate those security fixes within their mongodb packages and hence provide this fundamental security support to their users? |
| Comments |
| Comment by Alex Murray [ 14/Jun/22 ] |
|
Hi Kelsey, Thanks for taking the time to look into this and get back to me. That is a shame, as it means that there is no way for distributions to take existing MongoDB security patches and provide these to their users - as such there will likely be a lot of unpatched and hence vulnerable MongoDB instances. Would it be possible for this decision to be reconsidered, as having a large number of vulnerable MongoDB instances deployed is surely not a great end result for MongoDB? Thanks, Alex
|
| Comment by Kelsey Schubert [ 13/Jun/22 ] |
|
Unfortunately, it is not possible to dual-license security patches under AGPL. It may be worth noting that the only versions of MongoDB currently supported have been licensed under SSPL for their lifetime and distributions for particular linux targets can still are still available for download: https://www.mongodb.com/try/download/community. Best regards, |