📋 PLAN: Bash Upgrade & Shebang Standardization

DRAFT — 2026-03-16 — Author: Walter 🦉
Awaiting approval from Daniel before execution.

1. Situation

We want every machine in the fleet to run the latest Bash and use #!/usr/bin/env bash as the shebang in all scripts.

Current State (Walter's machine)

Item	Value
Installed	`bash 5.2.21` (Ubuntu 24.04 / Noble)
Latest release	`bash 5.3` (from ftp.gnu.org)
Shebang in snapshot-all.sh	`#!/bin/bash` (needs change)
Package manager	apt (Debian/Ubuntu on all GCP VMs)

2. Decision Points

Decision A: How to get Bash 5.3?

Option 1: Compile from source — download bash-5.3.tar.gz, ./configure && make && make install to /usr/local/bin/bash. Gives us 5.3 immediately.

Option 2: Wait for distro package — Ubuntu Noble ships 5.2.21. Bash 5.3 will land in a future Ubuntu release or PPA. Easier, but we stay on 5.2 for now.

Option 3: Use a PPA or backport — check if someone maintains a bash PPA for Ubuntu. Unknown reliability.

⚠️ Note: 5.2.21 is not ancient. The jump to 5.3 gives us associative array improvements, some new builtins, and bug fixes, but nothing critical. This is a "latest is best" decision, not a "we're broken" decision.

Decision B: /usr/local/bin vs replacing /usr/bin/bash?

If we compile from source, it installs to /usr/local/bin/bash by default. With #!/usr/bin/env bash, the env lookup will find /usr/local/bin/bash first (because /usr/local/bin is typically earlier in $PATH). So the shebang change + source install work together naturally.

We do NOT replace /usr/bin/bash — that belongs to the package manager.

3. The Plan (if approved)

Step 1: Audit all machines.
SSH to each VM, run bash --version, report back a table of what everyone has.
Deliverable: table. No changes.

Step 2: On ONE machine (Walter), compile Bash 5.3 from source.

cd /tmp
curl -O https://ftp.gnu.org/gnu/bash/bash-5.3.tar.gz
tar xf bash-5.3.tar.gz
cd bash-5.3
./configure --prefix=/usr/local
make
sudo make install

Verify: /usr/local/bin/bash --version → 5.3.0
Deliverable: version output. Then STOP.

Step 3: Update shebangs on Walter.
Change #!/bin/bash → #!/usr/bin/env bash in all our scripts (snapshot-all.sh, vault-snapshot.sh, etc.)
Deliverable: diff of changes. Then STOP.

Step 4: If Walter works fine, repeat Steps 2–3 on each machine, one at a time.
Order: Walter Jr → Amy → Vault → rest.
Each machine: compile, verify, update shebangs, report, STOP.

4. Machines to Cover

Machine	Hostname	OS (expected)	Bash (expected)
Walter	walter.1.foo	Ubuntu 24.04	5.2.21
Walter Jr	walter-jr.1.foo	Debian 12	5.2.x
Amy	amy.1.foo	Debian/Ubuntu	TBD
Vault	vault.1.foo	Debian/Ubuntu	TBD
Matilda	matilda.1.foo	Debian 12	5.2.x
Foreman	foreman.1.foo	Debian/Ubuntu	TBD
Captain Kirk	captain-kirk.1.foo	Debian/Ubuntu	TBD
Amy Israel	amy-israel.1.foo	Debian/Ubuntu	TBD
Ghost Jr	ghost-jr.1.foo	Debian/Ubuntu	TBD
Jamie	jamie.1.foo	Debian/Ubuntu	TBD
RMS	rms.1.foo	Debian/Ubuntu	TBD

5. Risks

Compiling from source means we own the update cycle — no automatic security patches from apt for /usr/local/bin/bash
Some system scripts expect /bin/bash specifically — we don't touch those, only OUR scripts use env bash
Build dependencies needed: gcc, make, probably already installed on all VMs

6. Open Questions for Daniel

Is 5.2.21 → 5.3 worth the compile-from-source maintenance? Or is 5.2 "good enough" and we just fix the shebangs?
Should we also update the shebang in scripts on OTHER machines (Amy's Python bot scripts use bash wrappers, etc.)?
Do we want a fleet-wide script audit to find all #!/bin/bash shebangs everywhere?