Request for Adding Ubuntu Kylin Archive

Stéphane Graber stgraber at ubuntu.com
Sat Apr 5 14:39:03 UTC 2014 

On Sat, Apr 05, 2014 at 09:07:10AM -0400, Marc Deslauriers wrote:
> On 14-04-04 05:34 PM, Stéphane Graber wrote:
> > On Fri, Apr 04, 2014 at 02:26:54PM -0700, Steve Langasek wrote:
> >> On Fri, Apr 04, 2014 at 02:09:07PM -0400, Marc Deslauriers wrote:
> >>>>> However, it seems that the proposal being discussed here is to add a
> >>>>> second root of trust for the Ubuntu community.  One root of trust is
> >>>>> necessary; two roots of trust, however trustworthy, are a weakness, and
> >>>>> one we should try to avoid.
> >>
> >>> I fully agree with this. If we were to ultimately allow a Kylin-specific
> >>> archive, having it be located under the same root of trust should be a
> >>> requirement.
> >>
> >> Does your phrasing here ("if we were to ultimately allow") imply that you
> >> see other blockers for approving such a thing?  Or are we at the point that
> >> we should try to write up our understanding of the plan and vote on it?
> 
> No, I don't think there are any blockers.
> 
> >>
> >>>>> - It's understood that the package archive server will be located in China
> >>>>>   and that only NUDT will have the rights to distribute the packages.  But,
> >>>>>   is there a license reason that we could not do the package *builds* on
> >>>>>   the existing Launchpad infrastructure, in a private ppa or other private
> >>>>>   archive?  This would make it possible to do the package builds using the
> >>>>>   existing trusted infrastructure, and to do all package signing using the
> >>>>>   existing archive keys, while publishing the packages for distribution
> >>>>>   only under control of the Ubuntu Kylin team.  Would this satisfy the
> >>>>>   requirements from the Kylin side?
> >>
> >>>> Yes, you have an accurate understanding of our situations, and I think
> >>>> we could build and sign these packages on LP.  Actually, we have been
> >>>> building the Sogou input method on LP during our co-developed with Sogou
> >>>> Corp.  We will build Kuaipan Storage Client and Kingsoft Office on LP
> >>>> soon.
> >>
> >>> I think building the software in a private PPA, and then mirroring the
> >>> signed PPA onto NUDT's infrastructure would be a reasonable way of
> >>> achieving all the requirements.
> >>
> >>> Would that be an acceptable solution?
> >>
> >> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
> >> trying to dictate the technical details at this level.  We might find that
> >> this is the best technical implementation, or we might find that something
> >> closer to partner, where packages are uploaded to a central archive queue
> >> and managed using the Ubuntu archive tooling, makes more sense.
> > 
> > I think we can at least set the following high level requirements:
> >  - Uploaders must be Ubuntu members and have signed the CoC (I'd have
> >    been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
> >    on the Kylin team would be able to upload...)
> >  - Packages must be built on the same infrastructure as Ubuntu, using
> >    the same builder pool and build chroots.
> >  - The result must be signed by a GPG key managed by Canonical (not
> >    provided to the Kylin team) within the Canonical infrastructure.
> >  - That GPG key must be separate from any other key currently in use and
> >    should be (not a hard requirement for 14.04) signed by the archive
> >    master key.
> >  - Distribution will be done through a server managed by the Kylin team
> >    which will get its content from a private server on Canonical's network.
> > 
> > That should leave enough room for implementation details to be decided
> > by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
> > actually care about.
> > 
> > Thoughts?
> 
> Can we add to the requirements that the packages in the repository must adhere
> to the Extension Repository Policy (or perhaps a slightly adjusted version)?

+1

> Marc.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140405/39d03925/attachment.pgp>

More information about the technical-board mailing list