Pin managed Linux bootstrap installers#742
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 2, 2026, 4:16 PM ET / 20:16 UTC. Summary Reproducibility: yes. for source-level reproduction: current main and v0.34.0 still render the Code and package-mode Tailscale root curl-to-shell installer paths. I did not run a live installer compromise, and after-fix Tailscale runtime proof remains incomplete. Review metrics: 3 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Land the pinned-archive hardening after package-mode upgrade behavior is preserved or explicitly accepted, Worker archive residue is fixed, release notes are handled outside normal PR-owned changelog edits, and redacted latest-head Code+Tailscale canary proof is posted. Do we have a high-confidence way to reproduce the issue? Yes for source-level reproduction: current main and v0.34.0 still render the Code and package-mode Tailscale root curl-to-shell installer paths. I did not run a live installer compromise, and after-fix Tailscale runtime proof remains incomplete. Is this the best way to solve the issue? No, not merge-ready yet. Pinned verified archives are the right direction, but package-mode compatibility, Worker code-server archive residue, release-owned changelog handling, and live Tailscale canary proof need resolution first. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against ab1c29f3fd40. Label changesLabel justifications:
Evidence reviewedAcceptance criteria:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
|
Partial runtime evidence is available from a disposable Ubuntu runner, but this still does not satisfy the full tailnet-readiness proof ClawSweeper requested. Proof run: https://github.com/TurboTheTurtle/crabbox/actions/runs/28345365585/job/83967514604 Log highlights from artifact
So the archive-install pieces are proven live, but the requested real managed Linux Tailscale lease proof still needs an actual auth key/control-plane credential path. I’m not requesting ClawSweeper re-review for this PR yet because that missing tailnet join is still a real proof gap. |
264eb06 to
7d3028c
Compare
|
Maintainer proof update: exact head The only remaining landing gate is the Code + Tailscale canary already described in the PR body: use a one-off ephemeral key authorized for |
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
82f6328 to
8bb7932
Compare
8bb7932 to
45cd2f1
Compare
|
Superseded by the maintainer replacement #792 after GitHub rejected pushes to this fork despite maintainer edits being enabled. The replacement preserves Andy Ye as co-author and retains @TurboTheTurtle’s changelog credit while adding the reviewed Go/Worker parity fixes and live-gate plan. Thank you for the original hardening work. |
Closes #715.
Summary
curl | shinstaller pipelines with pinned, checksum-verified archives./usr/local/lib/code-serverwith a stable/usr/local/bin/code-serversymlink.CRABBOX_TAILSCALE_INSTALL_MODE=packageas pinned static mode; preserving package-mode behavior would require a separate signed-repository implementation.Verification
Exact head:
45cd2f1f5ac8199543a7890188705b20283635db(rebased onto the 0.34.1 development head). Exact-head CI is terminal green: https://github.com/openclaw/crabbox/actions/runs/28615364564go vet ./...andgo test -race ./...— pass.go test -race ./internal/cli -run '^TestWindowsWSL2BootstrapCompleteProbeUsesWindowsMarker$' -count=3— pass; confirms the unrelated full-matrix timeout is load-sensitive.npm run format:check --prefix workernpm run lint --prefix workernpm run check --prefix workernpm test --prefix worker— 25 files, 753 tests passed.npm run build --prefix workerscripts/check-docs.sh— 51 command docs, 69-provider matrix, 202 Markdown files, and docs build passed.origin/main— clean, no accepted/actionable findings.cp -apreserved the privatemktemproot mode and made code-server non-executable by the lease user. The current head restores mode0755after the copy in both CLI- and coordinator-generated bootstrap paths, with ordering regression coverage and clean focused/whole-branch autoreviews.60fc8745b73d0f4401fd5f5b7647309609e106561b8812f4e833f6809806be72— code-server 4.126.0 executed as the lease user, install root mode was0755, archive residue was absent, readiness passed, and the disposable EC2 instance and provider key both returned to zero.Remaining live gate
Boot one managed Linux canary with Tailscale enabled, verify Tailscale 1.98.4, prove a
100.xtailnet address, and confirm provider/key/node cleanup. The one-off ephemeral Tailscale credential remains private and is injected only for that validation run.