Request for Adding Ubuntu Kylin Archive

Stéphane Graber stgraber at ubuntu.com
Tue Apr 8 01:15:22 UTC 2014 

On Mon, Apr 07, 2014 at 05:40:00PM -0700, Steve Langasek wrote:
> On Fri, Apr 04, 2014 at 05:34:38PM -0400, Stéphane Graber wrote:
> > > > I think building the software in a private PPA, and then mirroring the
> > > > signed PPA onto NUDT's infrastructure would be a reasonable way of
> > > > achieving all the requirements.
> 
> > > > Would that be an acceptable solution?
> 
> > > It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
> > > trying to dictate the technical details at this level.  We might find that
> > > this is the best technical implementation, or we might find that something
> > > closer to partner, where packages are uploaded to a central archive queue
> > > and managed using the Ubuntu archive tooling, makes more sense.
> 
> > I think we can at least set the following high level requirements:
> 
> The Ubuntu Kylin team has captured this now in a wiki page:
> 
>   https://wiki.ubuntu.com/Ubuntu%20Kylin/Ubuntu%20Kylin%20Archive
> 
> Let's please iterate there.

So a few quick things I noticed and that the Kylin team may want to
change before we put it to a vote (I don't think it's a good thing for
the TB to edit a Kylin proposal directly):

"""It will be managed and monitored by Ubuntu Kylin Council. Up-loaders
   should be Ubuntu members and have signed the CoC of Ubuntu. """

Should in my opinion read:
"""It will be managed and monitored by the Ubuntu KylinCouncil.
   Uploaders must be Ubuntu Members and have signed the Ubuntu CoC."""

(s/should/must/ + wording)



"""Packages should be built on the same infrastructure as Ubuntu, using
   the same builder pool and build chroots."""

Should in my opinion read:
"""Packages must be built within the same general infrastructure as
Ubuntu (Launchpad) and using the standard Ubuntu rootfs with the same
apt configuration."""

(Don't require same pool but require (must) the use of Launchpad and the
same build environment (rootfs and apt config).)



"""The result should be signed by a GPG key managed by Canonical within
the Canonical infrastructure."""

Should in my opinion read:
"""The result will be signed by a GPG key managed by Canonical within
the Canonical infrastructure. This key will be kept within Canonical and
won't be provided to the Ubuntu Kylin team."""

(s/should/will/ and make it very clear that the Kylin team won't have
access to a copy of the key.)



"""That GPG key should be separate from any other key currently in use
and should be (not a hard requirement for 14.04) signed by the archive
master key."""

Should in my opinion read:
"""That GPG key must be separate from any other key currently in use."""

(s/should/must/ and don't mention the trust path, we may take care of
this separately.)




As for the last point, the extension repository policy says that the
various criteria are enforced by the archive administrators, which in
this case won't be possible as this will use private PPAs.

I don't think we actually want to inspect every single upload but I'd
like the proposal to guarantee access to the packages to the Ubuntu
Archive admin team and the Security team for audit purposes as well as
confirm the authority of the former to request immediate removal of any
problematic content.

Something along the lines of:
"""The Ubuntu archive and Ubuntu Security teams act as the auditors for
this repository and will be allowed access to the repository in all
cases. The Ubuntu archive team may also request the immediate removal of
any unsuitable content."""

This may seem redundant with what the extension repository policy says,
however I don't believe it is once we consider that the current proposed
implementation uses private PPAs which won't be accessible by the
archive admins by default. This also covers the case where the kylin
repository would become region-restricted.

In practice what this means is that the Ubuntu archive team and Ubuntu
security team should be added as subscribers of the private PPA so that
they can, if needed access the content directly from Launchpad.


> 
> >  - Uploaders must be Ubuntu members and have signed the CoC (I'd have
> >    been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
> >    on the Kylin team would be able to upload...)
> 
> For comparison, I don't think we've ever required ubuntu-dev status for
> uploaders to the partner archive, but in practice the archive was /managed/
> by the ubuntu-archive team, for whom ubuntu-dev status is expected to be a
> precondition.  I think it's fine to only require Ubuntu membership at this
> phase.  But should the eventual goal be to require ubuntu-dev membership?
> Would that bring it more closely in line with the governance guidelines for
> the other archives?
> 
> >  - Packages must be built on the same infrastructure as Ubuntu, using
> >    the same builder pool and build chroots.
> 
> I think this is overly specific.  It makes sense to specify the software
> environment (build chroots), but the Tech Board should not dictate that the
> packages be built in "the same builder pool" as Ubuntu, which is an
> implementation detail - only in a builder pool with equivalent security.  By
> default, PPAs do not build on the same builder pool used for Ubuntu, and
> there doesn't seem to be a reason for this PPA to build there.
> 
> I suggest the following wording instead:
> 
>   - Packages must be built in the Canonical-managed Launchpad builders,
>     using the same build chroots as the Ubuntu archive and with no
>     build-dependencies on other PPAs.
> 
> >  - The result must be signed by a GPG key managed by Canonical (not
> >    provided to the Kylin team) within the Canonical infrastructure.
> >  - That GPG key must be separate from any other key currently in use and
> >    should be (not a hard requirement for 14.04) signed by the archive
> >    master key.
> 
> For comparison, the Extras archive key does not appear to be signed by the
> archive master key.  So I would omit this "should" altogether, especially as
> it's unrelated to our key management model for these extension archives.
> 
> >  - Distribution will be done through a server managed by the Kylin team
> >    which will get its content from a private server on Canonical's network.
> 
> > That should leave enough room for implementation details to be decided
> > by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
> > actually care about.
> 
> Let me know if the above sounds reasonable, and if I should update
> <https://wiki.ubuntu.com/Ubuntu%20Kylin/Ubuntu%20Kylin%20Archive>.
> 
> Thanks,
> -- 
> Steve Langasek                   Give me a lever long enough and a Free OS
> Debian Developer                   to set it on, and I can move the world.
> Ubuntu Developer                                    http://www.debian.org/
> slangasek at ubuntu.com                                     vorlon at debian.org



-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20140407/38ffe631/attachment-0001.pgp>

More information about the technical-board mailing list