Skip to content

fix: harden managed Linux bootstrap#792

Open
steipete wants to merge 1 commit into
mainfrom
codex/issue715-bootstrap-trust
Open

fix: harden managed Linux bootstrap#792
steipete wants to merge 1 commit into
mainfrom
codex/issue715-bootstrap-trust

Conversation

@steipete

@steipete steipete commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Closes #715.

Supersedes #742 because GitHub rejected maintainer pushes to the contributor fork despite maintainerCanModify=true. The replacement preserves Andy Ye as co-author and keeps @TurboTheTurtle's changelog credit.

Summary

  • Replace managed Linux Code Server root installer scripts with pinned, checksum-verified archives in both CLI and coordinator bootstrap generators.
  • Preserve Tailscale's existing default package contract through its signed APT repository with a checksum-pinned keyring; keep checksum-verified static archives as the explicit pinned mode.
  • Keep Go and Worker mode parsing aligned, including case-insensitive pinned selection.
  • Remove downloaded archives before copying install roots and disarm temporary-directory traps after successful cleanup.
  • Update operator documentation and regression coverage.

Verification

  • go test ./internal/cli — pass.
  • npm test --prefix worker — 25 files, 754 tests passed.
  • go vet ./... — pass.
  • Worker format, lint, typecheck, and dry-run build — pass.
  • Docs command surface, provider matrix, links, and site build — pass.
  • Focused Go and Worker bootstrap tests — pass after rebasing onto current main.
  • Autoreview — clean after fixing a Go/Worker install-mode parity finding; replacement-branch autoreview also clean.
  • Ephemeral Ubuntu 24.04 package canary — pinned keyring checksum verified, signed stable repository installed Tailscale 1.98.8, and package provenance resolved to pkgs.tailscale.com.

Remaining live gate

Run one disposable managed Linux lease with Tailscale enabled, verify the client version and a 100.x tailnet address, then prove provider key, VM, and tailnet-node cleanup. The one-off credential must remain private and be injected only for that validation run.

Co-authored-by: Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com>
@clawsweeper

clawsweeper Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge. Reviewed July 2, 2026, 5:00 PM ET / 21:00 UTC.

Summary
The PR replaces managed Linux Code Server and Tailscale root installer-script bootstrap paths in the Go CLI and Worker generators with checksum-verified Code Server archives, a signed Tailscale package repository default, tests, and docs updates.

Reproducibility: yes. for source-level reproduction: current main and v0.34.0 still render root curl-to-shell installer paths for Code Server and package-mode Tailscale. I did not run a live upstream compromise, and the PR's own Tailscale managed-lease proof remains incomplete.

Review metrics: 3 noteworthy metrics.

  • Changed surface: 11 files, +245/-28. The diff spans Go bootstrap, Worker bootstrap, Tailscale parsing, tests, docs, and release notes, so parity and upgrade behavior matter before merge.
  • Bootstrap generators hardened: 2 changed. Both the direct Go CLI generator and Worker coordinator generator are touched for the same installer-integrity behavior.
  • Remaining live gate: 1 managed Linux Tailscale canary. The PR body names this runtime proof as still outstanding before landing.

Root-cause cluster
Relationship: fixed_by_candidate
Canonical: #715
Summary: This PR is the active replacement candidate fix for the canonical managed Linux Code Server and Tailscale installer-integrity issue, and it supersedes the earlier contributor PR that targeted the same issue.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Post redacted latest-head managed Linux Tailscale proof showing client version, 100.x address, and provider/key/node cleanup.
  • [P1] Fix the runner-bootstrap Tailscale wording and move or get explicit ownership for the changelog entry.

Proof guidance:

  • [P1] Needs stronger real behavior proof before merge: The PR body includes useful command and package-canary verification, but it explicitly says the real managed Linux Tailscale lease proof with a 100.x address and cleanup is still missing; add redacted live output or terminal screenshots, then update the PR body to trigger re-review.

Risk before merge

  • [P1] The PR body itself still lists the live managed Linux Tailscale lease as a remaining gate, so merge would rely on an unproven real credential, tailnet join, 100.x address, and cleanup path.
  • [P1] Package-mode bootstrap now fails closed on distro/keyring validation; that is security-positive but upgrade-sensitive if an existing managed Linux image or future Tailscale key rotation does not match the pinned assumptions.
  • [P1] One touched runner-bootstrap doc says default --tailscale installs a checksum-verified pinned archive, while the actual PR preserves package mode through a signed APT repository.

Maintainer options:

  1. Finish the live managed-lease gate (recommended)
    Run the PR head on one disposable managed Linux lease with Tailscale enabled and post redacted proof of client version, 100.x address, and provider/key/node cleanup.
  2. Accept fail-closed package hardening
    Maintainers can explicitly accept the keyring checksum and supported-distro checks as the intended package-mode upgrade behavior once live proof exists.
  3. Pause until credentials are available
    If no approved one-off Tailscale credential is available, keep the PR paused rather than landing an unproven bootstrap readiness path.

Next step before merge

  • [P1] Human review remains because the outstanding live Tailscale proof and acceptance of fail-closed package-mode behavior are maintainer-controlled, even though the remaining file fixes are narrow.

Security
Cleared: No concrete new security or supply-chain regression was found; the diff improves bootstrap integrity by removing root execution of mutable installer scripts.

Review findings

  • [P3] Fix the Tailscale bootstrap description — docs/features/runner-bootstrap.md:102
  • [P3] Move release-note text out of the changelog — CHANGELOG.md:8
Review details

Best possible solution:

Land this hardening after redacted latest-head managed Linux Tailscale proof is posted, the runner-bootstrap doc matches the package-mode implementation, and release-note ownership is handled outside normal PR-owned changelog edits or explicitly accepted.

Do we have a high-confidence way to reproduce the issue?

Yes for source-level reproduction: current main and v0.34.0 still render root curl-to-shell installer paths for Code Server and package-mode Tailscale. I did not run a live upstream compromise, and the PR's own Tailscale managed-lease proof remains incomplete.

Is this the best way to solve the issue?

Mostly yes: replacing root installer scripts with verified artifacts or a signed package repository is the right security direction. It is not merge-ready until live Tailscale proof and the small docs/release-note issues are resolved.

Full review comments:

  • [P3] Fix the Tailscale bootstrap description — docs/features/runner-bootstrap.md:102
    This doc now says --tailscale installs a checksum-verified pinned Tailscale archive, but the PR intentionally keeps default package mode on a signed APT repository and reserves static archives for pinned. Please make this page match the implementation so operators do not expect archive mode without setting it.
    Confidence: 0.9
  • [P3] Move release-note text out of the changelog — CHANGELOG.md:8
    This review policy treats CHANGELOG.md as release-owned, so a normal PR should keep this release-note context in the PR body or commit message unless release ownership explicitly takes the changelog edit.
    Confidence: 0.76

Overall correctness: patch is correct
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against cf2ace0a9742.

Label changes

Label changes:

  • add P1: The PR addresses high-impact managed-bootstrap supply-chain hardening, but merge still needs live proof for a documented Tailscale workflow.
  • add merge-risk: 🚨 compatibility: The default package-mode bootstrap is now a fail-closed signed repository implementation with distro and keyring validation that existing setups must tolerate on upgrade.
  • add merge-risk: 🚨 availability: If the new install path or tailnet join fails at runtime, managed Linux leases with Tailscale can fail readiness.
  • add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
  • add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body includes useful command and package-canary verification, but it explicitly says the real managed Linux Tailscale lease proof with a 100.x address and cleanup is still missing; add redacted live output or terminal screenshots, then update the PR body to trigger re-review.

Label justifications:

  • P1: The PR addresses high-impact managed-bootstrap supply-chain hardening, but merge still needs live proof for a documented Tailscale workflow.
  • merge-risk: 🚨 compatibility: The default package-mode bootstrap is now a fail-closed signed repository implementation with distro and keyring validation that existing setups must tolerate on upgrade.
  • merge-risk: 🚨 availability: If the new install path or tailnet join fails at runtime, managed Linux leases with Tailscale can fail readiness.
  • rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body includes useful command and package-canary verification, but it explicitly says the real managed Linux Tailscale lease proof with a 100.x address and cleanup is still missing; add redacted live output or terminal screenshots, then update the PR body to trigger re-review.
Evidence reviewed

What I checked:

  • PR diff reviewed: The patch changes 11 files with +245/-28 across Go bootstrap, Worker bootstrap, Tailscale env parsing, tests, docs, and CHANGELOG. (a7db74b14248)
  • Current main still has the vulnerable Worker paths: Current main still emits code-server.dev/install.sh and tailscale.com/install.sh root shell installer paths in Worker bootstrap, so this PR is not obsolete. (worker/src/bootstrap.ts:1467, cf2ace0a9742)
  • Latest release has not shipped the hardening: The v0.34.0 release still contains the same Worker Code Server and package-mode Tailscale installer-script paths. (worker/src/bootstrap.ts:1467, ef898c27570a)
  • PR head preserves package mode through signed APT: The PR head defaults non-pinned Tailscale installs to a signed package repository path with a checksum-verified keyring, rather than the previous install.sh pipeline. (worker/src/bootstrap.ts:1522, a7db74b14248)
  • Keyring checksum spot-check: The pinned Tailscale keyring checksum matched current Ubuntu noble/jammy/focal and Debian bookworm/bullseye noarmor.gpg keyring responses during review. (worker/src/bootstrap.ts:1583, a7db74b14248)
  • Related issue and proof gap: The PR body closes the canonical security issue and explicitly lists the remaining live gate: one disposable managed Linux lease with Tailscale enabled, a client version, a 100.x tailnet address, and provider/key/node cleanup proof. (a7db74b14248)

Likely related people:

  • steipete: Recent main history shows repeated managed bootstrap and signing-key hardening work in the central Worker and Go bootstrap paths, including commits touching these files shortly before this PR. (role: recent area contributor; confidence: high; commits: a6e328cdfbe6, 9c041ebb3eb5, 79164fd14001; files: worker/src/bootstrap.ts, internal/cli/bootstrap.go, worker/src/tailscale.ts)
  • vincentkoc: GitHub history shows Tailscale bootstrap and cleanup hardening work adjacent to the install path. (role: feature history contributor; confidence: medium; commits: 938df1d9dfd5; files: worker/src/tailscale.ts, worker/src/bootstrap.ts, internal/cli/bootstrap.go)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P1 Urgent regression or broken agent/channel workflow affecting real users now. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. labels Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P1 Urgent regression or broken agent/channel workflow affecting real users now. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[security] Linux bootstrap executes unpinned installer scripts as root

1 participant