Skip to content

docs(secure-agent-setup): add Linux Mint 22 / Ubuntu Noble shortcut#12

Merged
potiuk merged 1 commit into
mainfrom
secure-agent-mint-option
Apr 29, 2026
Merged

docs(secure-agent-setup): add Linux Mint 22 / Ubuntu Noble shortcut#12
potiuk merged 1 commit into
mainfrom
secure-agent-mint-option

Conversation

@potiuk

@potiuk potiuk commented Apr 29, 2026

Copy link
Copy Markdown
Member

Stacked on #11. Adds a Distro-specific shortcut section under Install commands for the case where the framework's upstream pins (bubblewrap 0.11.1, socat 1.8.1.1) are not in the adopter's main repos — Ubuntu Noble (and its Mint 22.x downstream) ship bubblewrap 0.9.0 and socat 1.8.0.0 instead, both well past the 7-day cooldown and a legitimate adopter choice.

The framework's pinned-versions.toml is unchanged — the upstream pin is still what the weekly check-tool-updates routine compares against. The new section just documents the apt-pinned alternative for adopters who don't want a source build.

This PR's diff currently includes #11's content too (since it branches from secure-agent-setup). Once #11 merges, this PR's diff against main collapses to just the new section.

🤖 Generated with Claude Code

The pinned bubblewrap (0.11.1) and socat (1.8.1.1) versions in
`tools/agent-isolation/pinned-versions.toml` are the upstream
releases that have aged past the framework's 7-day cooldown — they
are NOT in Ubuntu Noble's main repos. Noble ships:

  bubblewrap 0.9.0  (0.9.0-1ubuntu0.1)
  socat      1.8.0.0 (1.8.0.0-4build3)

Both pre-date the framework's pins by months and are well past the
cooldown, so they're a legitimate adopter choice on Mint 22.
Ubuntu 24.04 — but the framework's main install path documents the
upstream pins, which leaves Mint/Noble adopters without a cl
story.

This commit adds a *Distro-specific shortcut* section under
\`Install commands\` that:

- Documents the apt-shipped versions and their \`apt_pin\` s
- Calls out the trade-off explicitly (older feature set, but apt-
  managed security backports, no source build).
- Notes that the framework's \`.claude/settings.json\` works
  unchanged — the sandbox API has been stable since bubblewr
  0.6.x.
- Tells the user how to silence the drift the check script w
  report against the upstream pins (a \`pinned-versions.local.toml\`,
  matching Claude Code's own \`settings.local.json\` convent
- Closes with the rationale for keeping this as a "shortcut" rather
  than the canonical path.

No change to \`pinned-versions.toml\` itself — the framework
default pin still tracks the upstream release stream, which is the
right thing to track for the weekly check-tool-updates routi

Generated-by: Claude Code (Claude Opus 4.7)
@potiuk potiuk force-pushed the secure-agent-mint-option branch from 9b92b6d to 698ef2c Compare April 29, 2026 13:51
@potiuk potiuk merged commit 7a19411 into main Apr 29, 2026
4 of 5 checks passed
@potiuk potiuk deleted the secure-agent-mint-option branch April 29, 2026 13:52
@andreahlert andreahlert added the mode:platform Substrate / infra — not a mode (sandbox, CI, validators) label May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mode:platform Substrate / infra — not a mode (sandbox, CI, validators)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants