[SERVER-66229] Security (CVE) patches are not AGPL licensed Created: 05/May/22  Updated: 14/Jun/22  Resolved: 13/Jun/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Alex Murray Assignee: Kelsey Schubert
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

As per the License FAQ patches to MongoDB server are now licensed under the SSPL.

In general, Linux distributions have not been able to adopt these more recent releases of mongodb due to this license change. As such, these distributions still ship and try to maintain the older AGPL licensed mongodb release. However, given that this older release is no longer maintained it is now affected by numerous security vulnerabilities which cannot be patched in these distributions due to the aforementioned license change.

Would it be possible for MongoDB to dual-license just the specific CVE/security bug patches as AGPL to allow these distributions to incorporate those security fixes within their mongodb packages and hence provide this fundamental security support to their users?



 Comments   
Comment by Alex Murray [ 14/Jun/22 ]

Hi Kelsey,

Thanks for taking the time to look into this and get back to me. That is a shame, as it means that there is no way for distributions to take existing MongoDB security patches and provide these to their users - as such there will likely be a lot of unpatched and hence vulnerable MongoDB instances.

Would it be possible for this decision to be reconsidered, as having a large number of vulnerable MongoDB instances deployed is surely not a great end result for MongoDB?

Thanks,

Alex

 

Comment by Kelsey Schubert [ 13/Jun/22 ]

Hi alex.murray@canonical.com,

Unfortunately, it is not possible to dual-license security patches under AGPL. It may be worth noting that the only versions of MongoDB currently supported have been licensed under SSPL for their lifetime and distributions for particular linux targets can still are still available for download: https://www.mongodb.com/try/download/community.

Best regards,
Kelsey

Generated at Thu Feb 08 06:04:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.