Request for Adding Ubuntu Kylin Archive

Iain Lane laney at ubuntu.com
Sat Apr 5 16:03:04 UTC 2014 

[ dropped some people that I suspect are subscribed to the list; no need
  to CC me explicitly either - Reply-To / M-F-T set accordingly ]

On Fri, Apr 04, 2014 at 05:34:38PM -0400, Stéphane Graber wrote:
> […]
> I think we can at least set the following high level requirements:
>  - Uploaders must be Ubuntu members and have signed the CoC (I'd have
>    been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
>    on the Kylin team would be able to upload...)
>  - Packages must be built on the same infrastructure as Ubuntu, using
>    the same builder pool and build chroots.
>  - The result must be signed by a GPG key managed by Canonical (not
>    provided to the Kylin team) within the Canonical infrastructure.
>  - That GPG key must be separate from any other key currently in use and
>    should be (not a hard requirement for 14.04) signed by the archive
>    master key.
>  - Distribution will be done through a server managed by the Kylin team
>    which will get its content from a private server on Canonical's network.
> 
> That should leave enough room for implementation details to be decided
> by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
> actually care about.
> 
> Thoughts?

I know I'm not on the TB, but I want to put a couple of things out there
for consideration.

These requirements and the Extension Repository Policy (ERP) that it
seems like you're going to refer to don't say anything about the kinds
of software that it'll be appropriate to deliver through this archive.
In particular, I think I'd feel better if there were an enforceable
expectation that software should be delivered through the regular Ubuntu
repository unless it is not possible to do this for legal reasons. That
means that most packages will follow Ubuntu procedures except when there
is a real reason they cannot (some kind of commercial distribution
agreement with Kylin). I doubt it's written down anywhere, but I think
it's generally understood that the Canonical partner archive is used in
this way already.

Also, the ERP seems to expect a level of Ubuntu project oversight of the
archive ("Archive administrators will enforce the above rules […]"). I
don't know what it would look like, but I think it would be reasonable
to have an analog of this here so that the archive team is able to
protect users if necessary. I suppose this is kind of implicit in
Stéphane's last point above.

Cheers,

-- 
Iain Lane                                  [ iain at orangesquash.org.uk ]
Debian Developer                                   [ laney at debian.org ]
Ubuntu Developer                                   [ laney at ubuntu.com ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140405/b54bcedc/attachment.pgp>

More information about the technical-board mailing list