On 14-04-07 08:40 PM, Steve Langasek wrote: > On Fri, Apr 04, 2014 at 05:34:38PM -0400, Stéphane Graber wrote: >>>> I think building the software in a private PPA, and then mirroring the >>>> signed PPA onto NUDT's infrastructure would be a reasonable way of >>>> achieving all the requirements. > >>>> Would that be an acceptable solution? > >>> It sounds like it meets Ubuntu Kylin's needs, but I would be wary of us >>> trying to dictate the technical details at this level. We might find that >>> this is the best technical implementation, or we might find that something >>> closer to partner, where packages are uploaded to a central archive queue >>> and managed using the Ubuntu archive tooling, makes more sense. > >> I think we can at least set the following high level requirements: > > The Ubuntu Kylin team has captured this now in a wiki page: > > https://wiki.ubuntu.com/Ubuntu%20Kylin/Ubuntu%20Kylin%20Archive > > Let's please iterate there. > >> - Uploaders must be Ubuntu members and have signed the CoC (I'd have >> been tempted to require ~ubuntu-dev but that'd mean pretty much nobody >> on the Kylin team would be able to upload...) > > For comparison, I don't think we've ever required ubuntu-dev status for > uploaders to the partner archive, but in practice the archive was /managed/ > by the ubuntu-archive team, for whom ubuntu-dev status is expected to be a > precondition. I think it's fine to only require Ubuntu membership at this > phase. But should the eventual goal be to require ubuntu-dev membership? > Would that bring it more closely in line with the governance guidelines for > the other archives?
I'm fine with Ubuntu membership for now. > >> - Packages must be built on the same infrastructure as Ubuntu, using >> the same builder pool and build chroots. > > I think this is overly specific. It makes sense to specify the software > environment (build chroots), but the Tech Board should not dictate that the > packages be built in "the same builder pool" as Ubuntu, which is an > implementation detail - only in a builder pool with equivalent security. By > default, PPAs do not build on the same builder pool used for Ubuntu, and > there doesn't seem to be a reason for this PPA to build there. > > I suggest the following wording instead: > > - Packages must be built in the Canonical-managed Launchpad builders, > using the same build chroots as the Ubuntu archive and with no > build-dependencies on other PPAs. +1 > >> - The result must be signed by a GPG key managed by Canonical (not >> provided to the Kylin team) within the Canonical infrastructure. >> - That GPG key must be separate from any other key currently in use and >> should be (not a hard requirement for 14.04) signed by the archive >> master key. > > For comparison, the Extras archive key does not appear to be signed by the > archive master key. So I would omit this "should" altogether, especially as > it's unrelated to our key management model for these extension archives. > >> - Distribution will be done through a server managed by the Kylin team >> which will get its content from a private server on Canonical's network. > >> That should leave enough room for implementation details to be decided >> by the relevant teams (Launchpad, IS, Kylin) while enforcing the bits I >> actually care about. > > Let me know if the above sounds reasonable, and if I should update > <https://wiki.ubuntu.com/Ubuntu%20Kylin/Ubuntu%20Kylin%20Archive>. > Looks good. Marc. -- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
