Request for Adding Ubuntu Kylin Archive
jackyu at ubuntukylin.com
jackyu at ubuntukylin.com
Fri Apr 4 13:08:53 UTC 2014
Hi Steve,
Thanks a lot for all your help to make Ubuntu Kylin better and better. See bellow please.
--
Regards,
Jack Yu
UbuntuKylin Team
At 2014-04-04 09:39:36,"Steve Langasek" <steve.langasek at ubuntu.com> wrote:
>Hi Jack,
>
>On Tue, Apr 01, 2014 at 11:42:34PM +0800, jackyu at ubuntukylin.com wrote:
>> Hi Technical Board,
>
>> I'm writing to request to add an archive for Ubuntu Kylin flavor. This
>> archive mainly includes Chinese commercial packages co-developed by Ubuntu
>> Kylin team and commercial companies. We also developed a software center
>> client that supports both Ubuntu archive and Ubuntu Kylin archive.
>
>> This request have already been supported by Jason, Leonard, Anthony, etc.
>> from Canonical team. We know that in the rules of Ubuntu, flavors are not
>> allowed to add archives. However, Ubuntu Kylin is a little special since
>> it mainly focuses on Chinese users. Our partners (Such as Sogou, King
>> soft) want to locate their apps in China.
>
>> Do you have any comments on this? Thanks in advance.
>
>Thank you for raising this issue before the Technical Board. I understand
>that you've already gone through the process of discussing this with
>Canonical's business team, so having to discuss it all again with the TB is
>probably very frustrating. However, the TB has a mandate to provide
>independent oversight for the technical decisions made around Ubuntu and its
>flavors, to ensure transparency and accountability to Ubuntu's founding
>principles. So I ask that you bear with us as we get up to speed on
>Ubuntu Kylin's needs.
>
Sorry that we have some misunderstanding on the process. As a Ubuntu flavor, we are very appreciating the Ubuntu rules. We are happy to apply your permission, which will also make our solution stronger:).
>We of course don't want to block any legitimate activities by any of the
>Ubuntu flavors - our purpose is to facilitate the Ubuntu community in doing
>great things, not to be a roadblock to progress! - but our default position
>will be one of natural conservatism: our goal is to make Ubuntu sustainable
>and coherent over the long term, so when something like a new archive is
>proposed, we will want to understand why it doesn't fit among the (already
>quite complex) set of existing archives.
>
>For the reference of everyone here, there is an existing, Tech
>Board-approved policy regarding the addition of extension repositories:
>
> https://wiki.ubuntu.com/ExtensionRepositoryPolicy
>
>I think the conversation here should be focused around how the proposed new
>archive does or doesn't fit this policy, and if there are ways in which the
>existing policy falls short.
>
>For instance, point 1.8 of this policy talks specifically about Canonical.
>It's worth understanding the reasons why this is, and how these reasons
>apply to the question of an archive with a separate root of trust (i.e.,
>NUDT).
>
>As the original seed of the Ubuntu community, Canonical is in a unique
>position of absolute trust within that community. Canonical manages the
>infrastructure on which the Ubuntu archive runs, sets the security policies
>governing access to the signing keys in use, and protects the integrity of
>the overall system. The Ubuntu community, in turn, implicitly trusts
>Canonical to carry out this function; this is not just because several
>members of the TB are employed by Canonical, but because there must be
>*some* root of trust, which for Ubuntu is Canonical.
>
>However, it seems that the proposal being discussed here is to add a second
>root of trust for the Ubuntu community. One root of trust is necessary; two
>roots of trust, however trustworthy, are a weakness, and one we should try
>to avoid.
>
>My understanding is that - answering Martin's question - the software you're
>proposing to put in this archive is commercial software that Canonical does
>not have the rights to distribute. Only NUDT, Ubuntu Kylin's commercial
>backer in China, has these distribution rights. It makes sense that Chinese
>software companies may prefer to do business with other companies in China,
>rather than foreign companies like Canonical; and just as we have
>archive.canonical.com (the Canonical partner archive) to make sure that free
>redistribution from our mirrors is not an obstacle to our users having
>access to a piece of software, if there is software that's interesting to
>our users which *Canonical* cannot distribute, but one of our partners in
>the Ubuntu community can, we should consider how we can enable this software
>to be made available within the Ubuntu framework instead of outside of it.
>
>Some questions that I think will help clarify:
>
> - It's understood that the package archive server will be located in China
> and that only NUDT will have the rights to distribute the packages. But,
> is there a license reason that we could not do the package *builds* on
> the existing Launchpad infrastructure, in a private ppa or other private
> archive? This would make it possible to do the package builds using the
> existing trusted infrastructure, and to do all package signing using the
> existing archive keys, while publishing the packages for distribution
> only under control of the Ubuntu Kylin team. Would this satisfy the
> requirements from the Kylin side?
Yes, you have an accurate understanding of our situations, and I think we could build and sign these packages on LP. Actually, we have been building the Sogou input method on LP during our co-developed with Sogou Corp. We will build Kuaipan Storage Client and Kingsoft Office on LP soon.
> - If you must run your own signing infrastructure, who will have access to
> the archive servers (both remote access and local access)? Who will have
> access to the master signing key? What are the archive key rotation
> policies for this archive?
>
> - What are the criteria that the Ubuntu Kylin Council would use to decide
> what packages will be included in this new archive? Will this archive
> comply with the existing https://wiki.ubuntu.com/ExtensionRepositoryPolicy
> requirements?
Our criteria should be comply with Ubuntu requirements. If any exceptions, we should start a request to Ubuntu TB like this.
> - Will users of Ubuntu Kylin (and Ubuntu) outside of China be able to
> download these packages, or will access be geographically limited?
Yes, users all around the world can access these packages (But I think most of they are Ubuntu Kylin users, since these packages are only useful for Chinese).
>Thanks,
>--
>Steve Langasek Give me a lever long enough and a Free OS
>Debian Developer to set it on, and I can move the world.
>Ubuntu Developer http://www.debian.org/
>slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140404/531c67c1/attachment-0001.html>
More information about the technical-board
mailing list