Pre-submit Checks
Describe the bug
Congrats on open sourcing Warp! Here's a few things I think are concerning with the bootstrap process of the codebase that I have spotted so far:
- According to
README.md before building Warp on a local machine, developers have to execute ./scripts/bootstrap to install the necessary dependencies. First and foremost, README.md lacks documentation explaining what the script actually does and why building needs this, common practice would be listing out the dependencies the repo needs and leave installation to the developer's discretion.
- The
.scripts/bootstrap conditionally execute different scripts depending on the user's platform and the underlying scripts provide no explanation of what changes they're making to the user's machine, what is being installed and how they are installing these dependencies.
- Sudo prompt triggered upon running the script with no explanation to user. Potentially caused by switching primary Xcode version
|
sudo xcode-select --switch /Applications/Xcode.app/Contents/Developer |
- At least on macOS, the script installs cargo-bundle from its Git repository, locked to a specific commit hash. Although personally I do not know how to exploit this, this seems scummy and could become a supply chain risk compared to using the official install from Cargo's registry.
cargo-bundle is also a common dependency many developers have installed, replacing the existing installation without information the user seems bad practice to me and could introduce issues if the developer is aware of the version change and goes on to use this pinned version in other repositories. As far as I know, the latest version of cargo-bundle on the registry already supports --profile, there's no need to install it from a separate commit.
|
cargo install cargo-bundle --git=https://github.com/burtonageo/cargo-bundle --rev ae4c76e92c08774bf54ff077b1c52e3d1cd6c16d |
- The macOS script also seems to install a lot of dependencies from various Git repositories instead of just conventionally install from registry. Examples:
|
cargo install --git https://github.com/wgsl-analyzer/wgsl-analyzer --tag "2025-06-28" wgslfmt |
It would have been okay if these dependencies were installed at project scope with cargo add instead of overwriting the global installation with cargo install
- The macOS script also installs a bunch of system-wide dependencies such as
sentry-cli and jq with Homebrew without asking the user, the user might have different ways of installing these dependencies such as using curl -sL https://sentry.io/get-cli/ | sh to install the sentry-cli instead. Again, the script is installing these things without asking the user and proper documentation of what it's doing which is bad practice
|
brew install jq |
|
brew install getsentry/tools/sentry-cli |
|
brew install clang-format |
|
brew install create-dmg |
|
brew install multitime |
|
brew install powershell |
|
brew install pkgconf |
|
brew install llvm |
- The script installs Docker if the user does not have it installed and assumes the user wants Docker by default, they might prefer something like OrbStack. Not sure how Docker is used during the build process but it seems unneeded.
|
if ! [ "$(command -v docker)" ]; then |
- Script retrieves user's gcloud auth token and signs user in if it's not present without proper explanation of how it's going to be used and why it's needed
|
if [[ -z $(gcloud auth print-identity-token) ]]; then |
To reproduce
- Run
./scripts/bootstrap
- Observe
Expected behavior
README.md or another markdown file should explain what the script does and what dependencies it's going to install. Would be better if developers were given the choice to install certain dependencies with an alternative package manager.
Screenshots, videos, and logs
No response
Operating system (OS)
macOS
Operating system and version
15.7.4
Shell Version
zsh 5.9 (arm64-apple-darwin24.0)
Current Warp version
Not Relevant
Regression
No, this bug or issue has existed throughout my experience using Warp
Recent working Warp date
No response
Additional context
Does this block you from using Warp daily?
No
Is this an issue only in Warp?
No, this issue happens in Warp and other terminals.
Warp Internal (ignore): linear-label:b9d78064-c89e-4973-b153-5178a31ee54e
None
Pre-submit Checks
Describe the bug
Congrats on open sourcing Warp! Here's a few things I think are concerning with the bootstrap process of the codebase that I have spotted so far:
README.mdbefore building Warp on a local machine, developers have to execute./scripts/bootstrapto install the necessary dependencies. First and foremost,README.mdlacks documentation explaining what the script actually does and why building needs this, common practice would be listing out the dependencies the repo needs and leave installation to the developer's discretion..scripts/bootstrapconditionally execute different scripts depending on the user's platform and the underlying scripts provide no explanation of what changes they're making to the user's machine, what is being installed and how they are installing these dependencies.warp/script/macos/bootstrap
Line 13 in 3f0ac51
cargo-bundleis also a common dependency many developers have installed, replacing the existing installation without information the user seems bad practice to me and could introduce issues if the developer is aware of the version change and goes on to use this pinned version in other repositories. As far as I know, the latest version ofcargo-bundleon the registry already supports--profile, there's no need to install it from a separate commit.warp/script/macos/bootstrap
Line 37 in 3f0ac51
warp/script/install_cargo_test_deps
Line 10 in 3f0ac51
warp/script/install_cargo_release_deps
Line 28 in 3f0ac51
It would have been okay if these dependencies were installed at project scope with
cargo addinstead of overwriting the global installation withcargo installsentry-cliandjqwith Homebrew without asking the user, the user might have different ways of installing these dependencies such as usingcurl -sL https://sentry.io/get-cli/ | shto install the sentry-cli instead. Again, the script is installing these things without asking the user and proper documentation of what it's doing which is bad practicewarp/script/macos/bootstrap
Lines 42 to 49 in 3f0ac51
warp/script/macos/bootstrap
Line 54 in 3f0ac51
warp/script/macos/bootstrap
Line 62 in 3f0ac51
To reproduce
./scripts/bootstrapExpected behavior
README.md or another markdown file should explain what the script does and what dependencies it's going to install. Would be better if developers were given the choice to install certain dependencies with an alternative package manager.
Screenshots, videos, and logs
No response
Operating system (OS)
macOS
Operating system and version
15.7.4
Shell Version
zsh 5.9 (arm64-apple-darwin24.0)
Current Warp version
Not Relevant
Regression
No, this bug or issue has existed throughout my experience using Warp
Recent working Warp date
No response
Additional context
Does this block you from using Warp daily?
No
Is this an issue only in Warp?
No, this issue happens in Warp and other terminals.
Warp Internal (ignore): linear-label:b9d78064-c89e-4973-b153-5178a31ee54e
None