Skip to content

feat(packaging): validate Debian 13 installer for v0.2.4#147

Draft
SSobol77 wants to merge 2 commits into
release/v0.2.4from
test/v0.2.4-debian-installer
Draft

feat(packaging): validate Debian 13 installer for v0.2.4#147
SSobol77 wants to merge 2 commits into
release/v0.2.4from
test/v0.2.4-debian-installer

Conversation

@SSobol77

@SSobol77 SSobol77 commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

Harden the ECLI v0.2.4 Debian installation path and establish the final two-stage Debian 13 deployment contract:

  1. run the standalone ECLI linter installer;
  2. install the ECLI Debian package.

This is the physical-validation track for release gate #146.

Tracks #146.

Branches

base: release/v0.2.4
head: test/v0.2.4-debian-installer
head commit: 3c97d8f610ad53808703ba3c08cce143fcd65caf
implementation commit: 8c7b158fd32d0808af89aa18273dc3e181b3b6a1
test-isolation follow-up: 3c97d8f610ad53808703ba3c08cce143fcd65caf

Architecture

The standalone linter installer provisions:

/opt/ecli/payload/bin
/opt/ecli/payload/packages
/etc/profile.d/ecli_payload.sh

Validated toolchain contract:

11 managed tools
8 Debian-provided tools
19 provisioned and verified executables
14 registered F4 diagnostic providers

The ECLI .deb does not download linters, invoke package managers from maintainer scripts, or mutate user home directories.

Main changes

  • add the hardened interactive Debian linter installer;
  • add pinned versions and SHA-256 verification;
  • add the committed markdownlint npm lock;
  • reject unsafe paths, mutable URLs, archive traversal, duplicate members, wrong ELF architecture, and concurrent installer execution;
  • enforce deterministic payload ownership and permissions;
  • prepend the approved ECLI payload path and reject stale /usr/local/bin shadowing;
  • add ecli --f4-check;
  • add 19-tool diagnostic smoke verification;
  • add the missing zlib1g Debian runtime dependency;
  • make the Debian builder atomic and fail-closed;
  • add mandatory Lintian validation;
  • make Debian package generation reproducible;
  • make Debian maintainer scripts non-destructive;
  • document the complete four-file installer bundle;
  • hard-disable the non-canonical Snap Makefile surface;
  • preserve the legacy F4 packaging hook only as post-promotion, non-gating compatibility evidence;
  • isolate the missing-executable probe test from host-preinstalled tools.

Verified Debian artifact

releases/0.2.4/ecli_0.2.4_linux_x86_64.deb

SHA-256:

020148a9b934ba5a972d7bb2bb83d25ad7937d11bcf6e607b1ff909e5a579fe9

Validation completed

  • repository suite: 2271 passed, 4 pre-existing non-Debian skips;
  • Ruff check and format check: PASS;
  • runtime import validation: PASS;
  • Gate 2: PASS;
  • minimal Debian 13 .deb-only installation without preinstalled Python or linter toolchain: PASS;
  • two independent byte-identical Debian builds: PASS;
  • Lintian: 0 errors, 0 warnings, one documented PyInstaller hardening-no-pie override;
  • 19/19 executable version probes: PASS;
  • 19/19 direct diagnostic fixtures: PASS;
  • installed ecli --f4-check: PASS;
  • stale PATH shadowing rejection: PASS;
  • upgrade from the exact v0.2.3 package: PASS;
  • reinstall, remove, and purge: PASS;
  • root and regular-user data preservation: PASS;
  • isolated four-file installer bundle: PASS;
  • independent owner-side source, artifact, and evidence audit: PASS.

Local evidence

run-20260712T113651Z.tar.gz
SHA-256: 5ce7706c806a2b23783f1a3493d6a7f172021fc76ab9fb8ef68077dc7186f8c0

hook-fix-20260712T160151Z.tar.gz
SHA-256: cbddc08539c37ea29e7f41979822f9b0f692c08acd7b38f035fcf8988eade6d2

GitHub Actions validation

All required manually dispatched contract workflows passed on the exact PR head:

head: 3c97d8f610ad53808703ba3c08cce143fcd65caf

The first macOS attempt encountered a transient hdiutil create Resource busy condition. A clean rerun on the same source head built and validated the DMG successfully; no macOS source change was required.

Mandatory merge gate

This PR must remain unmerged until the standalone linter installer and Debian package are physically tested on a second clean Debian 13 machine.

The physical validation must include:

  • Python bootstrap and the complete four-file installer bundle;
  • interactive full installation through the A menu selection;
  • dependency installation;
  • /opt/ecli/payload ownership and permissions;
  • login-shell PATH activation;
  • 19/19 version probes;
  • .deb checksum verification and installation;
  • ecli --version;
  • ecli --f4-check;
  • real F4 Diagnostics use from the installed application;
  • reinstall;
  • upgrade where applicable;
  • remove and purge;
  • preservation of user-owned data.

Any defect found during the physical test must be fixed on this same branch, reviewed by CI, and physically revalidated before merge.

Out of scope

This PR does not:

  • merge before physical Debian validation;
  • create the v0.2.4 tag;
  • create a GitHub Release;
  • publish to PyPI;
  • publish the complete 21-artifact release matrix;
  • publish other platform installers.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c5de9e62-33ae-4bbe-95d2-6b68d418c648

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch test/v0.2.4-debian-installer

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

💡 Need a hand with PR review? Try Gitar by Sonar!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant