On 14-04-04 05:34 PM, Stéphane Graber wrote:
> On Fri, Apr 04, 2014 at 02:26:54PM -0700, Steve Langasek wrote:
>> On Fri, Apr 04, 2014 at 02:09:07PM -0400, Marc Deslauriers wrote:
>>>>> However, it seems that the proposal being discussed here is to add a
>>>>> second root of trust for the Ubuntu community. One root of trust is
>>>>> necessary; two roots of trust, however trustworthy, are a weakness, and
>>>>> one we should try to avoid.
>>
>>> I fully agree with this. If we were to ultimately allow a Kylin-specific
>>> archive, having it be located under the same root of trust should be a
>>> requirement.
>>
>> Does your phrasing here ("if we were to ultimately allow") imply that you
>> see other blockers for approving such a thing? Or are we at the point that
>> we should try to write up our understanding of the plan and vote on it?
No, I don't think there are any blockers.
>>
>>>>> - It's understood that the package archive server will be located in China
>>>>> and that only NUDT will have the rights to distribute the packages.
>>>>> But,
>>>>> is there a license reason that we could not do the package *builds* on
>>>>> the existing Launchpad infrastructure, in a private ppa or other private
>>>>> archive? This would make it possible to do the package builds using the
>>>>> existing trusted infrastructure, and to do all package signing using the
>>>>> existing archive keys, while publishing the packages for distribution
>>>>> only under control of the Ubuntu Kylin team. Would this satisfy the
>>>>> requirements from the Kylin side?
>>
>>>> Yes, you have an accurate understanding of our situations, and I think
>>>> we could build and sign these packages on LP. Actually, we have been
>>>> building the Sogou input method on LP during our co-developed with Sogou
>>>> Corp. We will build Kuaipan Storage Client and Kingsoft Office on LP
>>>> soon.
>>
>>> I think building the software in a private PPA, and then mirroring the
>>> signed PPA onto NUDT's infrastructure would be a reasonable way of
>>> achieving all the requirements.
>>
>>> Would that be an acceptable solution?
>>
>> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
>> trying to dictate the technical details at this level. We might find that
>> this is the best technical implementation, or we might find that something
>> closer to partner, where packages are uploaded to a central archive queue
>> and managed using the Ubuntu archive tooling, makes more sense.
>
> I think we can at least set the following high level requirements:
> - Uploaders must be Ubuntu members and have signed the CoC (I'd have
> been tempted to require ~ubuntu-dev but that'd mean pretty much nobody
> on the Kylin team would be able to upload...)
> - Packages must be built on the same infrastructure as Ubuntu, using
> the same builder pool and build chroots.
> - The result must be signed by a GPG key managed by Canonical (not
> provided to the Kylin team) within the Canonical infrastructure.
> - That GPG key must be separate from any other key currently in use and
> should be (not a hard requirement for 14.04) signed by the archive
> master key.
> - Distribution will be done through a server managed by the Kylin team
> which will get its content from a private server on Canonical's network.
>
> That should leave enough room for implementation details to be decided
> by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I
> actually care about.
>
> Thoughts?
Can we add to the requirements that the packages in the repository must adhere
to the Extension Repository Policy (or perhaps a slightly adjusted version)?
Marc.
--
technical-board mailing list
technical-board@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/technical-board
