I see. Since MongoDB is under a GNU license, I assume you do not literally mean you have
zero access to the changes being made to it in SCL. My assumption is that you actually
mean there's no advanced or privileged access. So if some bad juju goes down, and we
want to look to SCL For help, Marek or whoever is maintaining 2.6 for EPEL at the time
would have to wait for those packages to appear in SCL before the process of porting them
to EPEL can even begin, time during which 2.6 is still vulnerable. Yes?
As for other solutions to security issues, is there any history of these packages
resolving security issues with mongodb with external OS-level features rather than via
patches to the code? It seems unlikely, in that a hack like firewalling it would be too
unsubtle by half and break functionality outright.