Request for Adding Ubuntu Kylin Archive

Tue Apr 8 01:52:35 UTC 2014

On 14-04-07 08:40 PM, Steve Langasek wrote:
> On Fri, Apr 04, 2014 at 05:34:38PM -0400, Stéphane Graber wrote:
>>>> I think building the software in a private PPA, and then mirroring the
>>>> signed PPA onto NUDT's infrastructure would be a reasonable way of
>>>> achieving all the requirements.
> 
>>>> Would that be an acceptable solution?
> 
>>> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
>>> trying to dictate the technical details at this level.  We might find that
>>> this is the best technical implementation, or we might find that something
>>> closer to partner, where packages are uploaded to a central archive queue
>>> and managed using the Ubuntu archive tooling, makes more sense.
> 
>> I think we can at least set the following high level requirements:
> 
> The Ubuntu Kylin team has captured this now in a wiki page:
> 
>   https://wiki.ubuntu.com/Ubuntu%20Kylin/Ubuntu%20Kylin%20Archive
> 
> Let's please iterate there.
> 
>>  - Uploaders must be Ubuntu members and have signed the CoC (I'd have
>>    been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
>>    on the Kylin team would be able to upload...)
> 
> For comparison, I don't think we've ever required ubuntu-dev status for
> uploaders to the partner archive, but in practice the archive was /managed/
> by the ubuntu-archive team, for whom ubuntu-dev status is expected to be a
> precondition.  I think it's fine to only require Ubuntu membership at this
> phase.  But should the eventual goal be to require ubuntu-dev membership?
> Would that bring it more closely in line with the governance guidelines for
> the other archives?

I'm fine with Ubuntu membership for now.

> 
>>  - Packages must be built on the same infrastructure as Ubuntu, using
>>    the same builder pool and build chroots.
> 
> I think this is overly specific.  It makes sense to specify the software
> environment (build chroots), but the Tech Board should not dictate that the
> packages be built in "the same builder pool" as Ubuntu, which is an
> implementation detail - only in a builder pool with equivalent security.  By
> default, PPAs do not build on the same builder pool used for Ubuntu, and
> there doesn't seem to be a reason for this PPA to build there.
> 
> I suggest the following wording instead:
> 
>   - Packages must be built in the Canonical-managed Launchpad builders,
>     using the same build chroots as the Ubuntu archive and with no
>     build-dependencies on other PPAs.

+1

> 
>>  - The result must be signed by a GPG key managed by Canonical (not
>>    provided to the Kylin team) within the Canonical infrastructure.
>>  - That GPG key must be separate from any other key currently in use and
>>    should be (not a hard requirement for 14.04) signed by the archive
>>    master key.
> 
> For comparison, the Extras archive key does not appear to be signed by the
> archive master key.  So I would omit this "should" altogether, especially as
> it's unrelated to our key management model for these extension archives.
> 
>>  - Distribution will be done through a server managed by the Kylin team
>>    which will get its content from a private server on Canonical's network.
> 
>> That should leave enough room for implementation details to be decided
>> by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
>> actually care about.
> 
> Let me know if the above sounds reasonable, and if I should update
> <https://wiki.ubuntu.com/Ubuntu%20Kylin/Ubuntu%20Kylin%20Archive>.
> 

Looks good.

Marc.