mongodb attribute should refer to a newer version

[FRidh]

Describe the bug

mongodb can no longer be built as it depends on old python2 packages through and older Python 2 version of scons. Using a newer scons version is not possible.

Steps To Reproduce

nix-build -A mongodb

Notify maintainers

@bluescreen303 @offlinehacker @cstrahan @bryanasdev000 @andir @pjjw @dotlambda

#155025 (comment)

[dnaq]

It's unfortunately not that easy due to mongo databases not being compatible between 3.x and 4.2, and 4.2 is the only nixpkgs derivation that uses the new version of scons.

We might need to keep the old version of pyyaml laying around and do some stateVersion trickery in the nixos modules that use mongo to not break people's installations.

I could make a pull request for pyyaml to automatically select the old version if built with python2, that would be enough for the current version of mongodb to work.

[FRidh]

It's unfortunately not that easy due to mongo databases not being compatible between 3.x and 4.2, and 4.2 is the only nixpkgs derivation that uses the new version of scons.

That means it is especially important that people start putting in some effort to get this migration going.

[Emantor]

Mongodb 3.4.24 doesn't need python2 in the buildInputs at all and is the only one built by hydra, I fixed this up in #155194. I am only really interested in this since the unifi package does not work with a newer mongodb version.

[bryanasdev000]

It's unfortunately not that easy due to mongo databases not being compatible between 3.x and 4.2, and 4.2 is the only nixpkgs derivation that uses the new version of scons.

That means it is especially important that people start putting in some effort to get this migration going.

Currently, only >= v4.0 is not EOL'ed, so no big deal, still I wanted to mark as deprecated and leave v4.0, v4.2 and newer versions, but it does not get much attention in nixpkgs (maybe because license+cache?).

I tried to init 4.4 and 5.0 but without lucky, if anyone wants to help #146324.

[bryanasdev000]

If we manage to fix #171928 maybe we can ship with a not EOL'ed version in time.

[bryanasdev000]

Another point to this, I would drop 3.4 and 3.6 since they are long been EOLed (https://www.mongodb.com/support-policy/lifecycles), the downside to that is, 3.4 is the only one that hydra build.

I would like to drop 4.0 too, but its EOL date is too recent.

Pinging @bluescreen303 @offline @cstrahan @kfiz @otavio @bachp @andersk to help in decision.

[andersk]

I’ve never used MongoDB in production, but the documentation suggests that a 3.4 user cannot upgrade directly to 5.0 and must instead successively upgrade to 3.6, 4.0, 4.2, 4.4, and then 5.0, running setFeatureCompatibilityVersion at each step. Therefore, we’ll need a sufficiently long transition window in which all of those intermediate releases are buildable before we can start removing the old ones.

[otavio]

Unsure we ought to keep supporting them forever. For upgrading, user can use Docker as a stopgap solution.

[bryanasdev000]

I’ve never used MongoDB in production, but the documentation suggests that a 3.4 user cannot upgrade directly to 5.0 and must instead successively upgrade to 3.6, 4.0, 4.2, 4.4, and then 5.0, running setFeatureCompatibilityVersion at each step. Therefore, we’ll need a sufficiently long transition window in which all of those intermediate releases are buildable before we can start removing the old ones.

Oh crap, I forgot about this, it may be possible to dump and restore but is not too much feasible with big ass databases.

And indeed, containers may be a solution to "port" the data itself to the new version, obviously with backups (same for dump).

I do not know how depreciation works in nixpkgs, maybe we can show a message when user changes the service package to 3.X? Or put a note in the release changelog...

[dotlambda]

I would use knownVulnerabilities to mark all EOL versions as insecure.

[bryanasdev000]

I would use knownVulnerabilities to mark all EOL versions as insecure.

Nice! I will try to use #172009 as umbrella PR to all this Mongo issues.

[kfiz]

I would use knownVulnerabilities to mark all EOL versions as insecure.

Nice! I will try to use #172009 as umbrella PR to all this Mongo issues.

Good idea. Looking at that PR I would probably not set the default to 5.0.x as this is licensed with the SSPL. I think the last versions licensed with the prior open source compliant AGPL are 4.0.3 and 4.1.4. see https://en.wikipedia.org/wiki/MongoDB#Licensing

[bryanasdev000]

I would use knownVulnerabilities to mark all EOL versions as insecure.

Nice! I will try to use #172009 as umbrella PR to all this Mongo issues.

Good idea. Looking at that PR I would probably not set the default to 5.0.x as this is licensed with the SSPL. I think the last versions licensed with the prior open source compliant AGPL are 4.0.3 and 4.1.4. see https://en.wikipedia.org/wiki/MongoDB#Licensing

I am checking it, but I think only 3.x was fully free, if I am checking right files:

• https://github.com/mongodb/mongo/blob/v4.0/LICENSE-Community.txt
• https://github.com/mongodb/mongo/blob/v4.2/LICENSE-Community.txt
• https://github.com/mongodb/mongo/blob/v4.4/LICENSE-Community.txt
• https://github.com/mongodb/mongo/blob/v5.0/LICENSE-Community.txt

And from https://www.mongodb.com/community/licensing:

Free Software Foundation's GNU AGPL v3.0 (for all versions released prior to October 16, 2018).

Based in Mongo's lifecycle, I think only for a brief period of time, v4.0 did not use SSPL:

https://www.mongodb.com/support-policy/lifecycles

See https://github.com/mongodb/mongo/blob/r4.0.1/LICENSE-Community.txt and after 4.0.3, all versions is using SSPL https://github.com/mongodb/mongo/blob/r4.0.4/LICENSE-Community.txt

If I am not wrong, I think 4.1 was a Rapid Release (https://www.mongodb.com/docs/manual/reference/versioning/#rapid-releases).

So to keep a free version, a downgrade to v4.0 will be needed, from 4.0.27 to 4.0.3.

As much as it would be nice to have Mongo in Hydra cache, I don't think the downgrade is worth it.

[kfiz]

Thanks for looking this up. I personally don't have a preference on this. Just mentioning this because I remember a lengthy discussion that I thought ended with a preference for setting the default to something more open source friendly. So, all good here.

[Artturin]

mongodb defaults to 6.0 since ba6d653