Request for Adding Ubuntu Kylin Archive

[Marc Deslauriers]

On 14-04-04 09:08 AM, jackyu at ubuntukylin.com wrote:
> Hi Steve,
> 
> Thanks a lot for all your help to make Ubuntu Kylin better and better. See
> bellow please.
> 
> --
> Regards,
> Jack Yu
> UbuntuKylin Team
> 
> 
> At 2014-04-04 09:39:36,"Steve Langasek" <steve.langasek at ubuntu.com <mailto:steve.langasek at ubuntu.com>> wrote:
>>Hi Jack,
>>
>>On Tue, Apr 01, 2014 at 11:42:34PM +0800, jackyu at ubuntukylin.com <mailto:jackyu at ubuntukylin.com> wrote:
>>> Hi Technical Board,
>>
>>> I'm writing to request to add an archive for Ubuntu Kylin flavor. This
>>> archive mainly includes Chinese commercial packages co-developed by Ubuntu
>>> Kylin team and commercial companies.  We also developed a software center
>>> client that supports both Ubuntu archive and Ubuntu Kylin archive.
>>
>>> This request have already been supported by Jason, Leonard, Anthony, etc.
>>> from Canonical team.  We know that in the rules of Ubuntu, flavors are not
>>> allowed to add archives.  However, Ubuntu Kylin is a little special since
>>> it mainly focuses on Chinese users.  Our partners (Such as Sogou, King
>>> soft) want to locate their apps in China.
>>
>>> Do you have any comments on this? Thanks in advance.
>>
>>Thank you for raising this issue before the Technical Board.  I understand
>>that you've already gone through the process of discussing this with
>>Canonical's business team, so having to discuss it all again with the TB is
>>probably very frustrating.  However, the TB has a mandate to provide
>>independent oversight for the technical decisions made around Ubuntu and its
>>flavors, to ensure transparency and accountability to Ubuntu's founding
>>principles.  So I ask that you bear with us as we get up to speed on
>>Ubuntu Kylin's needs.
>>
> 
> Sorry that we have some misunderstanding on the process. As a Ubuntu flavor, we are very appreciating the Ubuntu rules. We are happy to apply your permission, which will also make our solution stronger:).
> 
> 
>>We of course don't want to block any legitimate activities by any of the
>>Ubuntu flavors - our purpose is to facilitate the Ubuntu community in doing
>>great things, not to be a roadblock to progress! - but our default position
>>will be one of natural conservatism: our goal is to make Ubuntu sustainable
>>and coherent over the long term, so when something like a new archive is
>>proposed, we will want to understand why it doesn't fit among the (already
>>quite complex) set of existing archives.
>>
>>For the reference of everyone here, there is an existing, Tech
>>Board-approved policy regarding the addition of extension repositories:
>>
>>  https://wiki.ubuntu.com/ExtensionRepositoryPolicy
>>
>>I think the conversation here should be focused around how the proposed new
>>archive does or doesn't fit this policy, and if there are ways in which the
>>existing policy falls short.
>>
>>For instance, point 1.8 of this policy talks specifically about Canonical. 
>>It's worth understanding the reasons why this is, and how these reasons
>>apply to the question of an archive with a separate root of trust (i.e.,
>>NUDT).
>>
>>As the original seed of the Ubuntu community, Canonical is in a unique
>>position of absolute trust within that community.  Canonical manages the
>>infrastructure on which the Ubuntu archive runs, sets the security policies
>>governing access to the signing keys in use, and protects the integrity of
>>the overall system.  The Ubuntu community, in turn, implicitly trusts
>>Canonical to carry out this function; this is not just because several
>>members of the TB are employed by Canonical, but because there must be
>>*some* root of trust, which for Ubuntu is Canonical.
>>
>>However, it seems that the proposal being discussed here is to add a second
>>root of trust for the Ubuntu community.  One root of trust is necessary; two
>>roots of trust, however trustworthy, are a weakness, and one we should try
>>to avoid.

I fully agree with this. If we were to ultimately allow a Kylin-specific
archive, having it be located under the same root of trust should be a requirement.

>>
>>My understanding is that - answering Martin's question - the software you're
>>proposing to put in this archive is commercial software that Canonical does
>>not have the rights to distribute.  Only NUDT, Ubuntu Kylin's commercial
>>backer in China, has these distribution rights.  It makes sense that Chinese
>>software companies may prefer to do business with other companies in China,
>>rather than foreign companies like Canonical; and just as we have
>>archive.canonical.com (the Canonical partner archive) to make sure that free
>>redistribution from our mirrors is not an obstacle to our users having
>>access to a piece of software, if there is software that's interesting to
>>our users which *Canonical* cannot distribute, but one of our partners in
>>the Ubuntu community can, we should consider how we can enable this software
>>to be made available within the Ubuntu framework instead of outside of it.
>>
>>Some questions that I think will help clarify:
>>
>> - It's understood that the package archive server will be located in China
>>   and that only NUDT will have the rights to distribute the packages.  But,
>>   is there a license reason that we could not do the package *builds* on
>>   the existing Launchpad infrastructure, in a private ppa or other private
>>   archive?  This would make it possible to do the package builds using the
>>   existing trusted infrastructure, and to do all package signing using the
>>   existing archive keys, while publishing the packages for distribution
>>   only under control of the Ubuntu Kylin team.  Would this satisfy the
>>   requirements from the Kylin side?
> 
> Yes, you have an accurate understanding of our situations, and I think we could build and sign these packages on LP. Actually, we have been building the Sogou input method on LP during our co-developed with Sogou Corp. We will build Kuaipan Storage Client and Kingsoft Office on LP soon.
>

I think building the software in a private PPA, and then mirroring the signed
PPA onto NUDT's infrastructure would be a reasonable way of achieving all the
requirements.

Would that be an acceptable solution?


>> - If you must run your own signing infrastructure, who will have access to
>>   the archive servers (both remote access and local access)?  Who will have
>>   access to the master signing key?  What are the archive key rotation
>>   policies for this archive?

There are substantial implications and work inherent in creating a new and
separate root of trust. Having packages be signed by a private PPA key using the
Launchpad infrastructure would be greatly preferable.

>>
>> - What are the criteria that the Ubuntu Kylin Council would use to decide
>>   what packages will be included in this new archive?  Will this archive
>>   comply with the existing https://wiki.ubuntu.com/ExtensionRepositoryPolicy
>>   requirements?
> 
> Our criteria should be comply with Ubuntu requirements. If any exceptions, we should start a request to Ubuntu TB like this.
> 

Do all your current packages comply with the current extension repository
policy? Do you believe any may be problematic in the future?


>> - Will users of Ubuntu Kylin (and Ubuntu) outside of China be able to
>>   download these packages, or will access be geographically limited?
> 
> Yes, users all around the world can access these packages (But I think most of they are Ubuntu Kylin users, since these packages are only useful for Chinese).
> 
> 

Thanks,

Marc.