Request for Adding Ubuntu Kylin Archive

Stéphane Graber stgraber at ubuntu.com
Wed Apr 2 20:07:18 UTC 2014 

On Tue, Apr 01, 2014 at 11:42:34PM +0800, jackyu at ubuntukylin.com wrote:
> Hi Technical Board,
> 
> I'm writing to request to add an archive for Ubuntu Kylin flavor. This archive mainly includes Chinese commercial packages co-developed by Ubuntu Kylin team and commercial companies. We also developed a software center client that supports both Ubuntu archive and Ubuntu Kylin archive. 
> 
> 
> This request have already been supported by Jason, Leonard, Anthony, etc. from Canonical team. We know that in the rules of Ubuntu, flavors are not allowed to add archives. However, Ubuntu Kylin is a little special since it mainly focuses on  Chinese users.  Our partners (Such as Sogou, King soft) want to locate their apps in China.
> 
> 
> Do you have any comments on this? Thanks in advance.

Hi,

My personal opinion on the matter is that it's too late to do that kind
of stuff for 14.04, we are just a couple of weeks away from release so I
don't think it's the right time to discuss potentially major changes to
our policy with regard to what a flavour may use as its repositories.

I can see why that kind of feature would be benefitial to you and for
your users, however I'd need a whole lot more documentation on exactly
how that'd work before I even consider this.

One of my main concern is about how those packages would be built,
where, who would sign them, how would the signing keys be handled, ...

So far all the official archives of the Ubuntu project are basically
handled in the same way, things build on Launchpad using the official
build infrastructure and build chroots, the result is then either
directly published to a signed archive (primary and partner archives) or
published in a PPA and then mirrored and signed (extra and cloud
archive). In all cases, we have a direct trust path between the archive
master key and those sub-archive keys, the main private keys are sharded
and we have a clear processus as to what to do in the event a key is
compromised.

As any such archive is technically able to push any package to any
machine that has it enabled, it's critical that the security side of
things is well thought through and documented ahead of times.

> 
> 
> --
> Regards,
> Jack Yu
> UbuntuKylin Team

> -- 
> technical-board mailing list
> technical-board at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/technical-board


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140402/98400d66/attachment.pgp>

More information about the technical-board mailing list