On Tue, Apr 01, 2014 at 11:42:34PM +0800, jac...@ubuntukylin.com wrote: > Hi Technical Board, > > I'm writing to request to add an archive for Ubuntu Kylin flavor. This > archive mainly includes Chinese commercial packages co-developed by Ubuntu > Kylin team and commercial companies. We also developed a software center > client that supports both Ubuntu archive and Ubuntu Kylin archive. > > > This request have already been supported by Jason, Leonard, Anthony, etc. > from Canonical team. We know that in the rules of Ubuntu, flavors are not > allowed to add archives. However, Ubuntu Kylin is a little special since it > mainly focuses on Chinese users. Our partners (Such as Sogou, King soft) > want to locate their apps in China. > > > Do you have any comments on this? Thanks in advance.
Hi, My personal opinion on the matter is that it's too late to do that kind of stuff for 14.04, we are just a couple of weeks away from release so I don't think it's the right time to discuss potentially major changes to our policy with regard to what a flavour may use as its repositories. I can see why that kind of feature would be benefitial to you and for your users, however I'd need a whole lot more documentation on exactly how that'd work before I even consider this. One of my main concern is about how those packages would be built, where, who would sign them, how would the signing keys be handled, ... So far all the official archives of the Ubuntu project are basically handled in the same way, things build on Launchpad using the official build infrastructure and build chroots, the result is then either directly published to a signed archive (primary and partner archives) or published in a PPA and then mirrored and signed (extra and cloud archive). In all cases, we have a direct trust path between the archive master key and those sub-archive keys, the main private keys are sharded and we have a clear processus as to what to do in the event a key is compromised. As any such archive is technically able to push any package to any machine that has it enabled, it's critical that the security side of things is well thought through and documented ahead of times. > > > -- > Regards, > Jack Yu > UbuntuKylin Team > -- > technical-board mailing list > technical-board@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/technical-board -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
-- technical-board mailing list technical-board@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/technical-board
