create/document charm store review process

Bug #966566 reported by Jamie Strandboge on 2012-03-27
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juju Charms Collection
Undecided
Unassigned
juju (Ubuntu)
High
Unassigned
Precise
High
Unassigned

Bug Description

This is a tracking bug for a dependency of the juju MIR (bug #912861).

This process should include promoting the deploying AppArmor policy in charms.

Clint Byrum (clint-fewbar) wrote :

The policy and process are documented here:

https://juju.ubuntu.com/Charms

I added a recommendation to use AppArmor:

"should make use of AppArmor to increase security"

Changed in juju (Ubuntu Precise):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Marking back to triaged. While https://juju.ubuntu.com/Charms states "your charm should then be looked at in a timely manner" it doesn't state the process that is used to review the charm. There is process there for people to get their charm reviewed, but that is different. This bug is about having something like the ARB or MIR requirements for charm reviewers.

The point of the bug is that there is a set of guidelines for reviewers to follow and to make sure that charms are written well and don't introduce security holes. Eg: http://jujucharms.com/charms/oneiric/phpmyadmin/config has a default passphrase and http://jujucharms.com/charms/oneiric/phpmyadmin/hooks/install has 'chown -R www-data:www-data /var/www'. What is the signoff procedure here? Is the default password guaranteed to be changed on install? Are there configuration files in /var/www that should not be chowned to www-data:www-data to prevent abuse? (ie, often config files in webapps are owned by root so if www-data is under attacker control, there is still some protection). Where are the comments for such review/sign-offs listed?

Changed in juju (Ubuntu Precise):
status: Fix Released → Triaged
Jamie Strandboge (jdstrand) wrote :

To be clear, while it would be good to see the phpmyadmin issues above addressed, they aren't this bug-- I used them as examples of why charms should have a review process. Included in that review process should be some sort of documentation trail so that someone looking at them for the first time can have questions answered.

Jamie Strandboge (jdstrand) wrote :

Indeed, https://juju.ubuntu.com/CharmGuide has a section for charm reviewers, but it is empty.

Changed in juju (Ubuntu Precise):
importance: Undecided → High
Changed in juju (Ubuntu Precise):
milestone: ubuntu-12.04 → none
Changed in juju (Ubuntu):
milestone: ubuntu-12.04 → none
tags: removed: rls-p-tracking
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers