Marking back to triaged. While https://juju.ubuntu.com/Charms states "your charm should then be looked at in a timely manner" it doesn't state the process that is used to review the charm. There is process there for people to get their charm reviewed, but that is different. This bug is about having something like the ARB or MIR requirements for charm reviewers.
The point of the bug is that there is a set of guidelines for reviewers to follow and to make sure that charms are written well and don't introduce security holes. Eg: http://jujucharms.com/charms/oneiric/phpmyadmin/config has a default passphrase and http://jujucharms.com/charms/oneiric/phpmyadmin/hooks/install has 'chown -R www-data:www-data /var/www'. What is the signoff procedure here? Is the default password guaranteed to be changed on install? Are there configuration files in /var/www that should not be chowned to www-data :www-data to prevent abuse? (ie, often config files in webapps are owned by root so if www-data is under attacker control, there is still some protection). Where are the comments for such review/sign-offs listed? ** Changed in: juju (Ubuntu Precise) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to juju in Ubuntu. https://bugs.launchpad.net/bugs/966566 Title: create/document charm store review process To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju/+bug/966566/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs