Request for Adding Ubuntu Kylin Archive

Stéphane Graber stgraber at ubuntu.com
Fri Apr 4 21:34:38 UTC 2014 

On Fri, Apr 04, 2014 at 02:26:54PM -0700, Steve Langasek wrote:
> On Fri, Apr 04, 2014 at 02:09:07PM -0400, Marc Deslauriers wrote:
> > >>However, it seems that the proposal being discussed here is to add a
> > >>second root of trust for the Ubuntu community.  One root of trust is
> > >>necessary; two roots of trust, however trustworthy, are a weakness, and
> > >>one we should try to avoid.
> 
> > I fully agree with this. If we were to ultimately allow a Kylin-specific
> > archive, having it be located under the same root of trust should be a
> > requirement.
> 
> Does your phrasing here ("if we were to ultimately allow") imply that you
> see other blockers for approving such a thing?  Or are we at the point that
> we should try to write up our understanding of the plan and vote on it?
> 
> > >> - It's understood that the package archive server will be located in China
> > >>   and that only NUDT will have the rights to distribute the packages.  But,
> > >>   is there a license reason that we could not do the package *builds* on
> > >>   the existing Launchpad infrastructure, in a private ppa or other private
> > >>   archive?  This would make it possible to do the package builds using the
> > >>   existing trusted infrastructure, and to do all package signing using the
> > >>   existing archive keys, while publishing the packages for distribution
> > >>   only under control of the Ubuntu Kylin team.  Would this satisfy the
> > >>   requirements from the Kylin side?
> 
> > > Yes, you have an accurate understanding of our situations, and I think
> > > we could build and sign these packages on LP.  Actually, we have been
> > > building the Sogou input method on LP during our co-developed with Sogou
> > > Corp.  We will build Kuaipan Storage Client and Kingsoft Office on LP
> > > soon.
> 
> > I think building the software in a private PPA, and then mirroring the
> > signed PPA onto NUDT's infrastructure would be a reasonable way of
> > achieving all the requirements.
> 
> > Would that be an acceptable solution?
> 
> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
> trying to dictate the technical details at this level.  We might find that
> this is the best technical implementation, or we might find that something
> closer to partner, where packages are uploaded to a central archive queue
> and managed using the Ubuntu archive tooling, makes more sense.

I think we can at least set the following high level requirements:
 - Uploaders must be Ubuntu members and have signed the CoC (I'd have
   been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
   on the Kylin team would be able to upload...)
 - Packages must be built on the same infrastructure as Ubuntu, using
   the same builder pool and build chroots.
 - The result must be signed by a GPG key managed by Canonical (not
   provided to the Kylin team) within the Canonical infrastructure.
 - That GPG key must be separate from any other key currently in use and
   should be (not a hard requirement for 14.04) signed by the archive
   master key.
 - Distribution will be done through a server managed by the Kylin team
   which will get its content from a private server on Canonical's network.

That should leave enough room for implementation details to be decided
by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
actually care about.

Thoughts?

> 
> Cheers,
> -- 
> Steve Langasek                   Give me a lever long enough and a Free OS
> Debian Developer                   to set it on, and I can move the world.
> Ubuntu Developer                                    http://www.debian.org/
> slangasek at ubuntu.com                                     vorlon at debian.org



> -- 
> technical-board mailing list
> technical-board at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/technical-board


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140404/d2fa252c/attachment.pgp>

More information about the technical-board mailing list