Request for Adding Ubuntu Kylin Archive

Steve Langasek steve.langasek at ubuntu.com
Fri Apr 4 21:26:54 UTC 2014 

On Fri, Apr 04, 2014 at 02:09:07PM -0400, Marc Deslauriers wrote:
> >>However, it seems that the proposal being discussed here is to add a
> >>second root of trust for the Ubuntu community.  One root of trust is
> >>necessary; two roots of trust, however trustworthy, are a weakness, and
> >>one we should try to avoid.

> I fully agree with this. If we were to ultimately allow a Kylin-specific
> archive, having it be located under the same root of trust should be a
> requirement.

Does your phrasing here ("if we were to ultimately allow") imply that you
see other blockers for approving such a thing?  Or are we at the point that
we should try to write up our understanding of the plan and vote on it?

> >> - It's understood that the package archive server will be located in China
> >>   and that only NUDT will have the rights to distribute the packages.  But,
> >>   is there a license reason that we could not do the package *builds* on
> >>   the existing Launchpad infrastructure, in a private ppa or other private
> >>   archive?  This would make it possible to do the package builds using the
> >>   existing trusted infrastructure, and to do all package signing using the
> >>   existing archive keys, while publishing the packages for distribution
> >>   only under control of the Ubuntu Kylin team.  Would this satisfy the
> >>   requirements from the Kylin side?

> > Yes, you have an accurate understanding of our situations, and I think
> > we could build and sign these packages on LP.  Actually, we have been
> > building the Sogou input method on LP during our co-developed with Sogou
> > Corp.  We will build Kuaipan Storage Client and Kingsoft Office on LP
> > soon.

> I think building the software in a private PPA, and then mirroring the
> signed PPA onto NUDT's infrastructure would be a reasonable way of
> achieving all the requirements.

> Would that be an acceptable solution?

It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
trying to dictate the technical details at this level.  We might find that
this is the best technical implementation, or we might find that something
closer to partner, where packages are uploaded to a central archive queue
and managed using the Ubuntu archive tooling, makes more sense.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140404/e63d95a3/attachment.pgp>

More information about the technical-board mailing list