There is no version 2.8 of Mongo, they renamed that to 3.0 before release of 3.0. Just to provide a sense of the thought process other EPEL7 users might be going through here: I started researching this when I became aware that 2.6 was nearing upstream end-of-life (that is now happening today). I was aware of the recent major version upgrade of nodejs in EPEL7, so I assumed something like that was imminent. However, when I looked here: http://koji.fedoraproject.org/koji/buildinfo?buildID=802214 I saw that there have been several patches to EPEL6 MongoDB 2.4 since it reached its upstream end-of-life in March. So based on that evidence of prior commitment to maintaining MongoDB past end-of-life, I assumed that the intention was to keep on backporting patches to both 2.4 and 2.6. And I cancelled my red alert and stopped worrying about transitioning to the official MongoDB repositories. However it sounds like Marek, as the maintainer, is saying he doesn't have time to maintain 2.4 or 2.6. That's fair of course. Free is a very good price, and all that. (: For EPEL7, the upgrade seems fairly straightforward. 3.0 was really a marketing switch in the name of 2.8. I have experienced few problems moving projects between 3.0 and 2.6. Swapping the binaries and restarting is officially supported according to the documentation. The compatibility break pages are pretty short and there isn't much that would be in typical queries. For EPEL6, the upgrade is harder because you must first bump them to 2.6 and then to 3.0, there is no support for moving directly from 2.4 to 3.0. We could push out 2.6, wait a few weeks, and push out 3.0, but this would have a very unsatisfactory result for people who just don't happen to upgrade during those few weeks. They would get moved directly from 2.4 to 3.0 and the process would not work. There are also more bc breaks moving from 2.4, 2.6 and above are "pickier," notably a $set with no properties in the object will fail. https://docs.mongodb.com/v2.6/release-notes/2.6-compatibility/#driver-com... In both cases, a proper announcement is necessary. A fair question is whether we should move to 3.0 or 3.2. The folks maintaining nodejs for EPEL chose to move from 0.10 to 6.x, skipping 4.x, because one bc break is better than two. So what I would suggest is this: FOR EPEL 6 * Announce our intentions. * IN THE MEANTIME: If any really major security fails occur between now and when we get this done, we grit our teeth and patch 2.4. * Publish a 3.0 package that refuses to install with an appropriate error message if it sees 2.4 (but is fine with seeing 2.6). * Simultaneously publish 2.6-for-upgrading package; the instructions for those with 2.4 point you to that package, and to this URL: https://docs.mongodb.com/v3.2/release-notes/2.6-upgrade/ * Users must manually install the 2.6-for-upgrading package, since the possible complexities of a 2.4 to 2.6 upgrade are beyond an automated post-install script IMHO. Notably: https://docs.mongodb.com/v3.2/release-notes/2.6-upgrade/#upgrade-auth-prereq * Once a user succeeds in that process, they can "yum update" painlessly to 3.0 like the EPEL7 people (see below). FOR EPEL 7 * Announce our intentions. I don't know how much notice is thought appropriate. The nodejs maintainers gave a lot of warning, but they also knew what was up way before end of life (: * Prepare a package for 3.0. It's a forced upgrade from 2.6. * Release it. If possible, print this URL after install: https://docs.mongodb.com/v3.2/release-notes/3.0-compatibility/ * Done (: Just my suggestion — I realize I just blew into town. Hope we can figure this out before the next CVE!

I think that if a CVE arrives that we can't easily address through a patch, we have to be prepared to force an upgrade. Potentially "abandoning" a package that has CVEs in the wild, in the hope people will read about an optional upgrade, sounds like a policy we could regret. Is there any history of EPEL just abandoning a package? What should happen in that situation? Perhaps it's been necessary at some point (no support upstream, no one available downstream either...).

Even there should be security patches for 2.6 for some time, I am not against upgrade in EPEL7. I am not sure that upgrading in EPEL6 worth the time - I am afraid that a lot of dependencies is outdated in EPEL6 and people could use newer RHEL version... So is everyone fine with announcing this upgrade and preparing it? How long should take period between upgrade steps (2.6->3.0, time period, 3.0->3.2) - two months? Also I am not sure if I will upgrade to the latest version - it depends on how much dependencies would have to bring to EPEL. Volunteers welcomed!

On 1 November 2016 at 13:33, Tom Boutell <tom(a)punkave.com&gt; wrote: Do you have a link to that? There is softwarecollections.org which is the equivalent to EPEL. There is Red Hat Software Collections which is not a community product but a paid for serivce from Red Hat. -- Stephen J Smoogen.

On 1 November 2016 at 16:50, Tom Boutell <tom(a)punkave.com&gt; wrote: I don't know if it is reasonable for several reasons. 1. We have no access (no pun intended) to those packages. [Yes the person packages mongodb in Fedora works for Red Hat but that does not mean they have access to the bits that another group is doing for SCL work.] 2. SCL packages use their own form of magic and have their own solutions to security issues. This can mean what they do for a particular package won't work outside of an SCL environment. [This may not be the case for mongodb.. I don't know enough to say yes/no.] -- Stephen J Smoogen.

On 2 November 2016 at 10:24, Tom Boutell <tom(a)punkave.com&gt; wrote: Just because something is under a GNU license does not mean that anyone has access to the file. The GNU license only covers the rights of a person who got the executable from the 'vendor' that they have access to the source code. What I am saying is that EPEL is made up of volunteers. If you are volunteering to do this work then great. If you are expecting that someone else is going to do this work for you.. then not so great. -- Stephen J Smoogen.

It may serve good. Everyone have to decide what fits better for him... Some points: 1. I am not sure what is the current status of integration with systemctl (used on RHEL7). 2. Even upstream won't prepare CVE fixes after version EOL. 3. Upstream packages are bundling all dependent packages (~10 for 2.6) - so upstream have to handle also all (security) fixes for those packages. Not sure what is their policy. 3. SELinux support/integration is better for EPEL packages.

Thanks Marek, that does clear up a lot of confusion. I think you're saying that because the maintainer is the same and the packages are essentially the same (in this case), it's reasonably likely maintenance of 2.6 for EPEL7 will continue until 2.6 reaches its end date in SCL (April 2018). Not certain, but signs point to yes. Is that a reasonable summary? Thanks!