fix: harden managed Linux bootstrap#792
Conversation
Co-authored-by: Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com>
|
Codex review: needs real behavior proof before merge. Reviewed July 2, 2026, 5:00 PM ET / 21:00 UTC. Summary Reproducibility: yes. for source-level reproduction: current main and v0.34.0 still render root curl-to-shell installer paths for Code Server and package-mode Tailscale. I did not run a live upstream compromise, and the PR's own Tailscale managed-lease proof remains incomplete. Review metrics: 3 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Land this hardening after redacted latest-head managed Linux Tailscale proof is posted, the runner-bootstrap doc matches the package-mode implementation, and release-note ownership is handled outside normal PR-owned changelog edits or explicitly accepted. Do we have a high-confidence way to reproduce the issue? Yes for source-level reproduction: current main and v0.34.0 still render root curl-to-shell installer paths for Code Server and package-mode Tailscale. I did not run a live upstream compromise, and the PR's own Tailscale managed-lease proof remains incomplete. Is this the best way to solve the issue? Mostly yes: replacing root installer scripts with verified artifacts or a signed package repository is the right security direction. It is not merge-ready until live Tailscale proof and the small docs/release-note issues are resolved. Full review comments:
Overall correctness: patch is correct AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against cf2ace0a9742. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Closes #715.
Supersedes #742 because GitHub rejected maintainer pushes to the contributor fork despite
maintainerCanModify=true. The replacement preserves Andy Ye as co-author and keeps @TurboTheTurtle's changelog credit.Summary
packagecontract through its signed APT repository with a checksum-pinned keyring; keep checksum-verified static archives as the explicitpinnedmode.pinnedselection.Verification
go test ./internal/cli— pass.npm test --prefix worker— 25 files, 754 tests passed.go vet ./...— pass.main.pkgs.tailscale.com.Remaining live gate
Run one disposable managed Linux lease with Tailscale enabled, verify the client version and a
100.xtailnet address, then prove provider key, VM, and tailnet-node cleanup. The one-off credential must remain private and be injected only for that validation run.