On Fri, Apr 04, 2014 at 02:26:54PM -0700, Steve Langasek wrote:
> On Fri, Apr 04, 2014 at 02:09:07PM -0400, Marc Deslauriers wrote:
> > >>However, it seems that the proposal being discussed here is to add a
> > >>second root of trust for the Ubuntu community. One root of trust is
> > >>necessary; two roots of trust, however trustworthy, are a weakness, and
> > >>one we should try to avoid.
>
> > I fully agree with this. If we were to ultimately allow a Kylin-specific
> > archive, having it be located under the same root of trust should be a
> > requirement.
>
> Does your phrasing here ("if we were to ultimately allow") imply that you
> see other blockers for approving such a thing? Or are we at the point that
> we should try to write up our understanding of the plan and vote on it?
>
> > >> - It's understood that the package archive server will be located in
> > >> China
> > >> and that only NUDT will have the rights to distribute the packages.
> > >> But,
> > >> is there a license reason that we could not do the package *builds* on
> > >> the existing Launchpad infrastructure, in a private ppa or other
> > >> private
> > >> archive? This would make it possible to do the package builds using
> > >> the
> > >> existing trusted infrastructure, and to do all package signing using
> > >> the
> > >> existing archive keys, while publishing the packages for distribution
> > >> only under control of the Ubuntu Kylin team. Would this satisfy the
> > >> requirements from the Kylin side?
>
> > > Yes, you have an accurate understanding of our situations, and I think
> > > we could build and sign these packages on LP. Actually, we have been
> > > building the Sogou input method on LP during our co-developed with Sogou
> > > Corp. We will build Kuaipan Storage Client and Kingsoft Office on LP
> > > soon.
>
> > I think building the software in a private PPA, and then mirroring the
> > signed PPA onto NUDT's infrastructure would be a reasonable way of
> > achieving all the requirements.
>
> > Would that be an acceptable solution?
>
> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us
> trying to dictate the technical details at this level. We might find that
> this is the best technical implementation, or we might find that something
> closer to partner, where packages are uploaded to a central archive queue
> and managed using the Ubuntu archive tooling, makes more sense.I think we can at least set the following high level requirements: - Uploaders must be Ubuntu members and have signed the CoC (I'd have been tempted to require ~ubuntu-dev but that'd mean pretty much nobody on the Kylin team would be able to upload...) - Packages must be built on the same infrastructure as Ubuntu, using the same builder pool and build chroots. - The result must be signed by a GPG key managed by Canonical (not provided to the Kylin team) within the Canonical infrastructure. - That GPG key must be separate from any other key currently in use and should be (not a hard requirement for 14.04) signed by the archive master key. - Distribution will be done through a server managed by the Kylin team which will get its content from a private server on Canonical's network. That should leave enough room for implementation details to be decided by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I actually care about. Thoughts? > > Cheers, > -- > Steve Langasek Give me a lever long enough and a Free OS > Debian Developer to set it on, and I can move the world. > Ubuntu Developer http://www.debian.org/ > [email protected] [email protected] > -- > technical-board mailing list > [email protected] > https://lists.ubuntu.com/mailman/listinfo/technical-board -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
-- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
