Charm Store policy updates and refinement for 2.0

Stuart Bishop stuart.bishop at canonical.com
Tue Mar 22 02:14:24 UTC 2016


On 19 March 2016 at 02:58, Jorge O. Castro <jorge at ubuntu.com> wrote:

> Recommendations from everyone on what we should include here would be
> most welcome, specifically our recommendations around Windows charms
> is non-existent.

I think the acceptable software sources needs to be expanded.
Launchpad PPAs should be acceptable as signing keys are securely
retrieved when using 'add-apt-repository ppa:foo/bar'. Also, 3rd party
apt repositories should be acceptable if the signing key is embedded
in the charm (PyPi could be checked similarly, but it seems rare to
find signed packages there).

In addition, any software sources not in the main Ubuntu or CentOS
archives should be listed in configuration items that can be
overridden rather than hard coded in the charm, or else the charm is
useless in network restricted environments (and yes, migrating to
resources may be a better user experience in many cases).

As examples, the PostgreSQL charm pulls non-default packages from the
upstream PostgreSQL apt repository (PGDG, which is the source which
flows to Debian and Ubuntu). The Cassandra charm pulls a required
driver from a PPA I control. It also installs packages from either the
Apache apt repository or the DataStax apt repository. Cassandra is not
available in the Debian or Ubuntu main archives, probably as it
required the Oracle JVM. Both charms use the
install_sources/install_keys config items parsed by charm-helpers and
the apt layer to make this configurable.

On a side note, it is somewhat disingenuous to block charms in the
store from pulling dependencies from untrusted sources at run time
when we happily pull dependencies from untrusted sources at build
time. I think the fix here is to do better at build time (Moving the
interfaces web site to https: and ensuring clients use that address,
only allowing https:, git+ssh: and other secure protocols for pulling
branches, and checking GPG signatures of embedded wheels are the
issues here I'm aware of)

-- 
Stuart Bishop <stuart.bishop at canonical.com>



More information about the Juju mailing list