fix(installer): four dogfood-discovered bugs blocking curl-pipe-bash on bare Ubuntu#18
Merged
Conversation
…on bare Ubuntu
End-to-end dogfood retest of v0.3.2-rc1 against bare ubuntu:24.04 (no
preinstalled deps beyond curl + ca-certificates) surfaced four issues
that block the documented `curl ... | bash` happy path:
1. **`file(1)` dependency in curl-installer** — packaging/curl-installer/
install.sh:168 used `file --` to validate gzip magic before sha256.
The `file` package is NOT preinstalled on minimal Ubuntu/Debian cloud
images or most Docker base images. Replaced with `head -c 2 + od -tx1`
magic-byte read against `1f8b` (RFC 1952). Pure coreutils — `head` and
`od` are always present. Diagnostic value preserved (still distinguishes
"wrong magic" from "wrong sha256"; on failure now reports the actual
magic bytes observed, e.g. `(magic bytes: 3c21)` for an HTML 404 body).
2. **`sudo` package missing on bare Ubuntu** — plugin/provisioner/
20-sudoers.sh:75 invoked `visudo -cf` which comes from the `sudo`
package (not preinstalled on minimal images). Mirrors the existing
pattern in 10-agent-user.sh that auto-installs `locales` if
`locale-gen` is missing. New gate at the top of 20-sudoers.sh:
`command -v visudo || apt-get install -y --no-install-recommends sudo`.
3. **No VERSION sentinel in release artifacts** — packaging/curl-installer/
install.sh:111 follows `releases/latest/download/VERSION` and parses
the redirect URL to discover the latest tag. The asset isn't read —
only the redirect URL matters — but `curl -fsSIL` requires the redirect
target to return 2xx, not 404. Without VERSION shipped per release,
any unpinned `curl ... | bash` against an asset-less release dies with
`could not resolve latest version`. Fixed by adding a one-line write to
`dist/VERSION` (containing the tag) in scripts/build-release.sh §10b
and adding `dist/VERSION` to the publish files glob in release.yml.
4. **(operational, not in this commit)** v0.3.2-rc1 was published as a
full GitHub release rather than a pre-release, so `releases/latest`
redirected to it. Fixed via `gh release edit v0.3.2-rc1 --prerelease`.
Future RCs should be built/published with the GitHub Releases
"pre-release" flag set; tracked separately.
Test rig: bare ubuntu:{22.04, 24.04, 26.04} Docker, curl + ca-certificates
only, AGENTLINUX_RELEASE_BASE pointed at a local serve of the patched
tarball, AGENTLINUX_VERSION=v0.3.2-rc1. All three Ubuntu versions reach a
green `claude update` (2.1.98 → 2.1.126) with zero EACCES /
permission-denied lines in the install + agent-install + claude-update
transcripts. AGT-02 release-gate behavior confirmed against the published
RC artifacts after applying these fixes locally.
Refs: AL-18 (first-dogfood follow-up), AL-21 (dogfood retest sub-task)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Second-dogfood retest of
v0.3.2-rc1against bareubuntu:24.04(no preinstalled deps beyondcurl+ca-certificates) surfaced four bugs blockingcurl ... | bash. This PR fixes them.Bugs fixed
file(1)dependency in curl-installer (packaging/curl-installer/install.sh:168)file --not present on minimal Ubuntu / Docker base images.head -c 2 + od -tx1magic-byte read against1f8b(RFC 1952). Pure coreutils.sudopackage missing on bare Ubuntu (plugin/provisioner/20-sudoers.sh:75)visudois in thesudopackage, not preinstalled on minimal images.locale-genauto-install pattern in10-agent-user.sh. Auto-installssudoifvisudomissing.No
VERSIONsentinel in release artifactsinstall.shfollowsreleases/latest/download/VERSIONand parses the redirect URL to discover the latest tag.VERSIONshipped per release, any unpinnedcurl ... | bashdies with "could not resolve latest version" becausecurl -fsSILfails on the redirect's 404 target.scripts/build-release.shwritesdist/VERSION;release.ymlpublishes it.Operational (not in this commit):
v0.3.2-rc1was published as a full GitHub release.gh release edit v0.3.2-rc1 --prereleasealready executed. Future RCs should set the pre-release flag at publish time — tracked separately.Test rig
Results — all three Ubuntu versions:
claudebinary owned byagent:agentat/home/agent/.local/bin/claude(not under/usr/local/bin— AGT-02 invariant intact).Test plan
gate-1-precommitgate-2-docker × {22.04, 24.04, 26.04}gate-3-qemu × {22.04, 24.04}v0.3.2-rc2, push, run a fresh dogfood against the published RC artifacts (not the local serve)Refs: AL-18, AL-21