Re: SRU and Governance docs -> Ubuntu Project docs

On Fri, Sep 26, 2025 at 11:21:56AM +0200, Robert Kratky wrote:
> Following further discussion with the IS team, it's clear they cannot
> dedicate cycles to adapting their LP -> GH sync solution for our
> purposes right now.
>
> Therefore, I'd like to move forward with the previously suggested
> (temporary) alternative: using individual GitHub account IDs in the
> CODEOWNERS file. I realize this is a sub-optimal solution as it requires
> a manual intervention to reflect any potential changes to team
> composition.

I'll ask again please that you implement something that notifies you
when a relevant Launchpad team changes, so that you can then manually
fix the GitHub side. This should take all of half an hour for someone
familiar with the Launchpad API, so I don't think it's a big ask. This
would avoid imposing a burden and friction on new team members who can't
be expected to know what to do nor who to contact.

> However, in view of the fact that the 'Ubuntu Project' docs are now
> being actively worked on (and this focus is planned to continue during
> the 26.04 cycle), I'm convinced there'd be no danger of creating "second
> class citizens" as Robie put it.

I don't see how you can be convinced given that you said just above that
you (collectively) cannot prioritise fixing this.

Robie

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: PGP key recommendations for Ubuntu Development

On 2025-09-24 11.53, Christian Ehrhardt wrote:
> For a while I'm working on an improvement to how Ubuntu
> developers set up and handle their PGP keys.
> [...]
>
> [1]: https://github.com/ubuntu/ubuntu-project-docs/pull/182

Thanks for this much needed initiative! I left some minor review
comments to the PR, but in general it looks great. There is some
terminology specific to GnuPG in it, but I think that's fine for the
time being: sequoia is still not that widely adopted.

Cheers,

Paride

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: DKMS upload rights application

Hi all,

On Wed, Sep 3, 2025 at 8:43 PM Massimiliano Pellizzer
<massimiliano.pellizzer@canonical.com> wrote:
> I would like to announce my application for membership in the DKMS
> package set uploader team. My application can be found at:
>
> https://wiki.ubuntu.com/MassimilianoPellizzer/DkmsUploadApplication

DMB unanimously voted in favor of Massimiliano's application along
with some great feedback. Please join me in welcoming Massimiliano as
the newest uploader of the DKMS packageset.

Massimiliano, you should have all the ACL in order now, please let me
know if you have any questions or concerns.

- u

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: PGP key recommendations for Ubuntu Development

On Fri, Sep 26, 2025 at 8:57 AM Christian Ehrhardt
<christian.ehrhardt@canonical.com> wrote:
>
> On Thu, Sep 25, 2025 at 1:33 PM Robie Basak <racb@ubuntu.com> wrote:
> >
> > Without having gone into the security specfics in detail, this looks
> > great! I very much appreciate your initiative here - I think a set of
> > recommendations like this will make a difference, and I'm in favour of
> > the general direction of setting security guidelines and perhaps even
> > enforcing some of them in future to keep Ubuntu users safe.
>
> Thanks for the general support!
>
> > Some things that might be worth considering and appropriate text adding:
> >
> > 1) Who has control of the hardware key, knowledge of the passphrase and
> > control of the systems it is plugged into.
>
> totally reasonable - will add that
>
> > 2) Expectations of the above. The Ubuntu developer as an individual is
> > the only person authorised by Ubuntu and is expected to have exclusive
> > control of the key. If exclusive control is compromised then the key
> > should be revoked.
>
> same - will add that
>
> > 3) The importance of being in control of what the key is used to sign
> > (eg. an attack vector is that you activated your key to sign something
> > you thought was innocent but is actually controlled by an adversary).

I've added that, but in a softer tone to avoid ruling out people/setups too
easily while still keeping everyone vigilant about the potential risks.

> > 4) What actions to take if a key or signing compromise is suspected.

went to "known, but missing for now"

> > No need to block the PR on this but if not done now then perhaps these
> > could be added to an issue tracker somewhere to do later.

I've updated the PR [1] with content based on the discussions here and
further feedback that I've got.

- Add a section about control and ownership (thanks for the suggestions Robie)
- Refer to the glossary for signing keys
- List known missing aspects visible to the reader
- Acknowledge the lack of requirements for alternatives (from the
discussion between Spyros and Aaron)
- Fix time-time: associate -> associated

[1]: https://github.com/ubuntu/ubuntu-project-docs/pull/182#issuecomment-3337587732

> I'll certainly add something for #1 and #2 today,
> for #3 and #4 I'll try but probably fall back to add a "known next
> steps" sections
> so things like these are not just missing but acknowledged to be needed yet
> for now undefined.
>
> That will help to not forget about these aspects and establish that we
> want to have them defined at some point.
>
> > Robie
>
>
>
> --
> Christian Ehrhardt
> Director of Engineering, Ubuntu Server
> Canonical Ltd

--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: SRU and Governance docs -> Ubuntu Project docs

Hi,

I'd like to follow up on this with an update and hopefully get things
moving. See below for a continuation of the discussion regarding ACL
setup for the new repo.

On Tue, Sep 2 25 12:16, Robert Kratky wrote:

[snip]

>>> This setup is what I'd like to offer the Board and SRU. I believe the
>>> case for consolidating all this content in one place is sound, and the
>>> CODEOWNERS setup ensures the content wouldn't be out of your team's
>>> control.
>>>
>>> The one potentially sticky point is that it's on GitHub, i.e. the
>>> involved people would need a GH account for the ACL to work. We can
>>> include people individually, which is what we've been doing so far.
>>> Special GitHub teams could also be set up for that purpose.
>>>
>>> (We've also been looking into auto-syncing LP -> GH teams, so this
>>> access control would continue to be automatically based on LP team
>>> membership...
>>
>> I think it's important that friction to make changes remains low. We
>> must avoid creating "second class citizen" governance team members
>> because team membership changes haven't propogated. Please could you
>> ensure that whatever process you use, changes propagate without
>> intervention and without delay?
>
> If set up using the mechanism that IS has in place for syncing LP and
> GH teams, this would be automatic.
>
>> You'll presumably need a mapping from Launchpad accounts to GitHub
>> accounts. Maybe the Launchpad "social accounts" feature could be used
>> for this, like for Matrix. But then you'll need to ensure to propagate
>> both on Launchpad team membership changes as well as mapping changes,
>> and perhaps this needs some thought about validation.
>
> I'm talking to IS to see what we can come up with regarding the mapping.
> In the meantime, I'd suggest we go the route of indiv. accounts in the
> CODEOWNERS file. I realize that's a sub-optimal long-term solution, but
> I think it's a good stop-gap while the larger docs set is WIP.

Following further discussion with the IS team, it's clear they cannot
dedicate cycles to adapting their LP -> GH sync solution for our
purposes right now.

Therefore, I'd like to move forward with the previously suggested
(temporary) alternative: using individual GitHub account IDs in the
CODEOWNERS file. I realize this is a sub-optimal solution as it requires
a manual intervention to reflect any potential changes to team
composition.

However, in view of the fact that the 'Ubuntu Project' docs are now
being actively worked on (and this focus is planned to continue during
the 26.04 cycle), I'm convinced there'd be no danger of creating "second
class citizens" as Robie put it.

Meanwhile, we'd be working on automating the process as discussed above
-- either using the IS solution (provided the team can accommodate
us), or otherwise.

If there's no opposition to this plan, I'd like to go ahead with it next
week.

Robert

Re: PGP key recommendations for Ubuntu Development

On Thu, Sep 25, 2025 at 9:46 PM Aaron Rainbolt <arraybolt3@gmail.com> wrote:
>
> On Thu, Sep 25, 2025 at 2:11 PM Spyros Seimenis
> <spyros.seimenis@canonical.com> wrote:
> >>
> > We should have clear guidelines about what are the requirements for an alternative method to be considered as trusted as the ones I mentioned above (what are the necessary attestations, how feasible it is to automate verification as a whole/in parts etc). For the Qubes example, I want to see cryptographic proof that the signing happened inside the "air-gapped" qube, proof that the key was indeed generated inside of it and cannot leave it, proof that you have set up your system properly and that your system comes from a manufacturer I consider trusted so that I can trust its hardware isolation mechanisms etc. (turtles all the way down) and I also want a system to do that verification for me as much as possible.

Thanks for the suggestion Spyros and all the details.

I agree that we'd want such requirements to become defined over time.
We'd want that for being able to process an alternatives which we
might consider required to make some of it fully mandatory.

But I do not think having these requirements fully defined needs to
block recommending a good setup today.
Trying to balance efforts and gains now vs what is needed into the
future I'd say that the first alternative that will be processed will
be more intense having to find out in discussions and evaluations what
the requirements need to be.

Still - I'll add this into the "alternative" section that I started in
the PR - as it is important to not forget about this.

> I think you're approaching this from the standpoint of Ubuntu being a
> corporate project with security requirements from employees. That
> would be great if that is what Ubuntu was, but that is not what Ubuntu
> is.

To be clear once more if there have been any misunderstandings,
my intend hereby is not to enforce anything yet, for today we
are talking about improving this for any Ubuntu contributor from
"no docs - good luck" to "a reasonable recommendation" which
will improve the status quo a lot.

I hinted at potential enforcement in the future, partially to have
exactly such a discussion in time and highly appreciate you and
Spyros for having engaged on the topic here!

> Ubuntu is a community project with a largely volunteer-based
> workforce. As such, we have traditionally always taken steps to ensure
> that the volunteers who work as part of Ubuntu are highly trusted - we
> work with them on a personal level for months before trusting them
> with archive upload privileges, ensuring that they are non-malicious,
> constructive members of the community who know what they're doing and
> will work closely with the rest of Ubuntu to do their job correctly.
> If someone is trustworthy enough to do everything else with their
> development work correctly, I see no reason they shouldn't be trusted
> to do their key management correctly, provided they have been trained
> on how to manage their keys just like they were trained on how to
> manage packages.
>
> Ensuring that the key comes from a source that is somehow considered
> objectively trustworthy is essentially enforcing an enterprise policy
> across a non-enterprise community.

The community is diverse, and gladly so. But in my example around
potentially mandating in the future I had already acknowledged that by
suggesting that companies can decide to do that earlier. Like Canonical
could then say internally "nice recommendation - and for our folks we
make it mandatory". That is enterprise rules for enterprise folks and
not for all - which is a great middle ground for progress where possible.

> It's also very insufficient as far
> as real-world security goes; a person could

So far - all major discussion participants have already acknowledged
that any solution will have weaknesses.
At least for me and now, I'm trying to be helpful in getting a
recommendation up at all, and I'll therefore avoid that side of the
debate of "a person could ...".

> The entirety of that community ...

I get the feeling that I should be happy to have triggered this discussion,
but IMHO that aspect only is blocked once someone would later change
it to "it is mandatory for ..." covering groups that are project but
not company.

To go forward I think there are two paths that are independent
1)
And as long as "it is mandatory" is out of the picture for now, I
consider all we got as "+1" or "+1 with helpful suggestions"
I'm happy to continue, to facilitate all input to make the PR better
and at some point land it.

2)
For a future change to make anything mandatory that can be inside any
company or need to finalize this aspect of the discussion.

After all this is why I also called the tech board to state their
position for this PR, even not yet making anything mandatory
(I actually called them earlier than here, but things take time
https://lists.ubuntu.com/archives/technical-board/2025-September/003049.html)

> --
> Aaron
>
> > [1]: https://developers.yubico.com/PKI/yubico-ca-certs.txt

--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: PGP key recommendations for Ubuntu Development

On Thu, Sep 25, 2025 at 1:33 PM Robie Basak <racb@ubuntu.com> wrote:
>
> Without having gone into the security specfics in detail, this looks
> great! I very much appreciate your initiative here - I think a set of
> recommendations like this will make a difference, and I'm in favour of
> the general direction of setting security guidelines and perhaps even
> enforcing some of them in future to keep Ubuntu users safe.

Thanks for the general support!

> Some things that might be worth considering and appropriate text adding:
>
> 1) Who has control of the hardware key, knowledge of the passphrase and
> control of the systems it is plugged into.

totally reasonable - will add that

> 2) Expectations of the above. The Ubuntu developer as an individual is
> the only person authorised by Ubuntu and is expected to have exclusive
> control of the key. If exclusive control is compromised then the key
> should be revoked.

same - will add that

> 3) The importance of being in control of what the key is used to sign
> (eg. an attack vector is that you activated your key to sign something
> you thought was innocent but is actually controlled by an adversary).
>
> 4) What actions to take if a key or signing compromise is suspected.
>
> No need to block the PR on this but if not done now then perhaps these
> could be added to an issue tracker somewhere to do later.

I'll certainly add something for #1 and #2 today,
for #3 and #4 I'll try but probably fall back to add a "known next
steps" sections
so things like these are not just missing but acknowledged to be needed yet
for now undefined.

That will help to not forget about these aspects and establish that we
want to have them defined at some point.

> Robie

--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel