Hi Léo, On Fri, 12 Mar 2021 at 01:56, Léo Le Bouter <lle-b...@zaclys.net> wrote:
> mongodb 3.4.10 has unpatched CVEs and mongodb 3.4.24 has some files in the > release tarball under the SSPL, therefore we cannot provide mongodb while > upholding to good security standards. [...] > doc/guix.texi | 28 ----- > gnu/packages/databases.scm | 252 ------------------------------------- > gnu/services/databases.scm | 88 ------------- > gnu/tests/databases.scm | 83 ------------ > 4 files changed, 451 deletions(-) Could you wait more than 4 days between the patch submission and effectively pushing it? Well, you updated mongodb from 3.4.10 to 3.4.24 on the March 10th, submitted a patch series for the removal on the March 12th and pushed on the March 16th. In the meantime, the update has been reverted on the March 11th because of license issue, IIUC. If the removal for security reasons had been discussed on IRC, it could be nice to point the discussion here. Otherwise, open a discussion on the topic on guix-devel or bug-guix. The full removal is a radical solution (especially, it should be done with 2 commits: service+doc and then package; well another story). All the best, simon
