Request for Adding Ubuntu Kylin Archive

Sat Apr 5 13:07:10 UTC 2014

On 14-04-04 05:34 PM, Stéphane Graber wrote:
> On Fri, Apr 04, 2014 at 02:26:54PM -0700, Steve Langasek wrote:
>> On Fri, Apr 04, 2014 at 02:09:07PM -0400, Marc Deslauriers wrote:
>>>>> However, it seems that the proposal being discussed here is to add a
>>>>> second root of trust for the Ubuntu community.  One root of trust is
>>>>> necessary; two roots of trust, however trustworthy, are a weakness, and
>>>>> one we should try to avoid.
>>
>>> I fully agree with this. If we were to ultimately allow a Kylin-specific
>>> archive, having it be located under the same root of trust should be a
>>> requirement.
>>
>> Does your phrasing here ("if we were to ultimately allow") imply that you
>> see other blockers for approving such a thing?  Or are we at the point that
>> we should try to write up our understanding of the plan and vote on it?

No, I don't think there are any blockers.

>>
>>>>> - It's understood that the package archive server will be located in China
>>>>>   and that only NUDT will have the rights to distribute the packages.  But,
>>>>>   is there a license reason that we could not do the package *builds* on
>>>>>   the existing Launchpad infrastructure, in a private ppa or other private
>>>>>   archive?  This would make it possible to do the package builds using the
>>>>>   existing trusted infrastructure, and to do all package signing using the
>>>>>   existing archive keys, while publishing the packages for distribution
>>>>>   only under control of the Ubuntu Kylin team.  Would this satisfy the
>>>>>   requirements from the Kylin side?
>>
>>>> Yes, you have an accurate understanding of our situations, and I think
>>>> we could build and sign these packages on LP.  Actually, we have been
>>>> building the Sogou input method on LP during our co-developed with Sogou
>>>> Corp.  We will build Kuaipan Storage Client and Kingsoft Office on LP
>>>> soon.
>>
>>> I think building the software in a private PPA, and then mirroring the
>>> signed PPA onto NUDT's infrastructure would be a reasonable way of
>>> achieving all the requirements.
>>
>>> Would that be an acceptable solution?
>>
>> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
>> trying to dictate the technical details at this level.  We might find that
>> this is the best technical implementation, or we might find that something
>> closer to partner, where packages are uploaded to a central archive queue
>> and managed using the Ubuntu archive tooling, makes more sense.
> 
> I think we can at least set the following high level requirements:
>  - Uploaders must be Ubuntu members and have signed the CoC (I'd have
>    been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
>    on the Kylin team would be able to upload...)
>  - Packages must be built on the same infrastructure as Ubuntu, using
>    the same builder pool and build chroots.
>  - The result must be signed by a GPG key managed by Canonical (not
>    provided to the Kylin team) within the Canonical infrastructure.
>  - That GPG key must be separate from any other key currently in use and
>    should be (not a hard requirement for 14.04) signed by the archive
>    master key.
>  - Distribution will be done through a server managed by the Kylin team
>    which will get its content from a private server on Canonical's network.
> 
> That should leave enough room for implementation details to be decided
> by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
> actually care about.
> 
> Thoughts?

Can we add to the requirements that the packages in the repository must adhere
to the Extension Repository Policy (or perhaps a slightly adjusted version)?

Marc.