Release v0.3.3: hotfix v0.3.2 Linux PPM end-to-end (BLOCK + HIGH)

Code review on v0.3.2 caught two silent-failure bugs that made the new
Linux PPM binaries feature broken end-to-end. Both produce broken
R libraries with no error — packages "install" but fail at library()
time because the wrong tarball got extracted to the lib dir.

BLOCK — Bioc on Linux installs source as binary
  P3MBinaryIndex::fetch was unconditionally fetching
  bioconductor.org/packages/<release>/bioc/src/contrib/PACKAGES.gz on
  Linux. That index lists SOURCE tarballs (Bioc doesn't serve Linux
  binaries), but they got registered in the binary index and routed
  through install_binary_package — which extracts them as if they had
  pre-built libs/*.so. Result: any Bioc package on a Linux project was
  silently broken. Fix: gate bioc_fut with `!info.is_linux`.

HIGH — Per-package downloads didn't carry the R-shaped User-Agent
  PPM serves source vs. binary at the same URL based on UA. v0.3.2 set
  the UA on the index fetch (correctly got binary URLs in the listing)
  but the per-package downloads in download_one used a bare client.get(),
  so PPM served source for every actual tarball. We extracted the source
  trees as if they were binaries → unloadable installs.
  Fix: threaded a `user_agent: Option<&str>` field through DownloadSpec
  and download_one; sync.rs sets it for any URL containing /__linux__/.

MED — r_minor wired into the UA (drops hardcoded "4.5.3")
  Future-proof against PPM tightening its UA sniffing rules. The actual
  project R minor was already in scope at the call site.

Tests added:
- ppm_codename_rhel_centos_naming_discontinuity: pins the rhel-7/8 →
  centos7/8 / rhel-9 → rhel9 mapping (the asymmetric naming is the
  highest-value regression anchor in the table).
- linux_user_agent_uses_r_minor_not_hardcoded: asserts the UA reflects
  the wired r_minor for both x86_64 and aarch64.

163 uvr-core tests, 31 CLI tests, 45 unit tests. Clippy clean (added a
single allow for too_many_arguments on download_one — 8 params is past
clippy's 7-arg threshold but the alternative of bundling into a struct
adds more noise than it saves).

Per cadence rule: install-blocking-bug exception applies — v0.3.2 was
a feature release whose feature is broken; v0.3.3 is the right fix.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Author: nbafrank

CHANGELOG.md

@@ -7,6 +7,41 @@ release page on GitHub. Issue numbers reference https://github.com/nbafrank/uvr/
 
 Pure tracking section — fixes and small features land here between tags.
 
+## v0.3.3 (2026-04-30)
+
+Hotfix for v0.3.2's Linux PPM binaries — the feature was end-to-end
+broken in two ways found by post-release code review. Both produced
+silent install corruption (no error, just unloadable packages at
+`library()` time). Allowed under the cadence rule's install-blocking
+exception.
+
+### Fixes
+- **Linux PPM package downloads now carry the R-shaped User-Agent.**
+  v0.3.2 set the UA on the index fetch (which correctly returned binary
+  URLs) but not on the per-package tarball downloads. PPM serves source
+  vs. binary at the same URL based on UA — without it on the download,
+  every "binary" package was actually a source tarball that
+  `install_binary_package` extracted as if it had pre-compiled `.so`
+  files. Threaded a `user_agent` field through `DownloadSpec` and
+  `download_one`; sync sets it for any URL containing `/__linux__/`.
+- **Bioconductor packages on Linux no longer enter the binary path.**
+  v0.3.2 fetched `bioconductor.org/packages/<release>/bioc/src/contrib/PACKAGES.gz`
+  on Linux and registered those URLs in the binary index — but
+  Bioconductor doesn't serve Linux binaries, so the tarballs at those
+  URLs are sources. They got installed as binaries → unloadable. Now
+  guarded with `!info.is_linux` so Bioc on Linux falls through to
+  source install (same path as before #55).
+- **Linux UA uses the project's actual R minor instead of a hardcoded
+  `4.5.3`.** Future-proof against PPM tightening its UA sniffing.
+
+### Tests
+- New `ppm_codename_rhel_centos_naming_discontinuity` pins the
+  rhel-7/8 → centos7/8 / rhel-9 → rhel9 mapping (the asymmetry was an
+  unsigned cliff in the table).
+- New `linux_user_agent_uses_r_minor_not_hardcoded` asserts both arch
+  variants (x86_64, aarch64) get the right UA from the wired-through
+  `r_minor`.
+
 ## v0.3.2 (2026-04-30)
 
 Linux gets pre-built binary packages. The platform-support table no

Cargo.lock

@@ -3,7 +3,7 @@ members = ["crates/uvr", "crates/uvr-core"]
 resolver = "2"
 
 [workspace.package]
-version = "0.3.2"
+version = "0.3.3"
 edition = "2021"
 authors = ["uvr contributors"]
 license = "MIT"

Cargo.toml

@@ -49,6 +49,7 @@ impl Downloader {
                 let url = spec.url.to_string();
                 let fallback_url = spec.fallback_url.map(str::to_string);
                 let is_binary = spec.is_binary;
+                let user_agent = spec.user_agent.map(str::to_string);
                 // Binary packages: lockfile checksum is for the source tarball, not the
                 // P3M binary. Skip verification on binary downloads, but keep the
                 // checksum for the fallback path which downloads the source tarball.
@@ -62,14 +63,16 @@ impl Downloader {
                 tokio::spawn(async move {
                     let _permit = sem.acquire().await.unwrap();
 
-                    // Try primary URL
+                    // Try primary URL. The UA override only applies to the
+                    // primary path — fallbacks (CRAN source) don't need it.
                     let primary_result = download_one(
                         &client,
                         &cache_dir,
                         &pkg_name,
                         &pkg_version,
                         &url,
                         primary_checksum.as_deref(),
+                        user_agent.as_deref(),
                         &mp,
                     )
                     .await;
@@ -100,6 +103,7 @@ impl Downloader {
                                 &pkg_version,
                                 fallback,
                                 source_checksum.as_deref(),
+                                None, // fallback URL is plain CRAN source — no UA override needed
                                 &mp,
                             )
                             .await?;
@@ -129,6 +133,11 @@ pub struct DownloadSpec<'a> {
     /// Fallback URL to try if primary fails (e.g. source tarball when P3M binary 500s).
     pub fallback_url: Option<&'a str>,
     pub is_binary: bool,
+    /// Per-request `User-Agent` override. Set this for Linux PPM binary
+    /// URLs — PPM uses the UA to choose between binary and source builds
+    /// served at the same URL, and the default `uvr/x.y.z` UA gets you
+    /// source. None = use the client's default UA.
+    pub user_agent: Option<&'a str>,
 }
 
 /// Result of downloading a single package.
@@ -158,13 +167,15 @@ fn cran_archive_url(url: &str) -> Option<String> {
     Some(format!("{base}/src/contrib/Archive/{pkg_name}/{filename}"))
 }
 
+#[allow(clippy::too_many_arguments)]
 async fn download_one(
     client: &reqwest::Client,
     cache_dir: &Path,
     name: &str,
     version: &str,
     url: &str,
     expected_checksum: Option<&str>,
+    user_agent: Option<&str>,
     mp: &MultiProgress,
 ) -> Result<PathBuf> {
     // Derive the cache filename from the URL so that source tarballs (.tar.gz)
@@ -230,14 +241,23 @@ async fn download_one(
 
     // Stream response to a temp file to avoid buffering entire packages in RAM.
     // Compute checksums on-the-fly during the stream.
-    let mut resp_result = match client.get(url).send().await {
+    let request = |target: &str| {
+        let mut req = client.get(target);
+        if let Some(ua) = user_agent {
+            req = req.header(reqwest::header::USER_AGENT, ua);
+        }
+        req
+    };
+    let mut resp_result = match request(url).send().await {
         Ok(r) => r.error_for_status(),
         Err(e) => Err(e),
     };
     if resp_result.is_err() {
         if let Some(archive_url) = cran_archive_url(url) {
             debug!("{name}: {url} failed, retrying via CRAN Archive: {archive_url}");
-            resp_result = match client.get(&archive_url).send().await {
+            // CRAN Archive doesn't require the R-shaped UA, but plumbing the
+            // override here is harmless and keeps requests symmetric.
+            resp_result = match request(&archive_url).send().await {
                 Ok(r) => r.error_for_status(),
                 Err(e) => Err(e),
             };

crates/uvr-core/src/installer/download.rs

@@ -45,7 +45,7 @@ impl P3MBinaryIndex {
         bioc_release: Option<&str>,
         posit_distro_slug: Option<&str>,
     ) -> Self {
-        let Some(info) = platform_info(platform, posit_distro_slug) else {
+        let Some(info) = platform_info(platform, posit_distro_slug, r_minor) else {
             // Unsupported platform combination: macOS x86 / Windows always
             // OK; Linux only when we recognise the distro. Falls through
             // to source — same behavior as before #55.
@@ -55,10 +55,19 @@ impl P3MBinaryIndex {
         let cran_fut = fetch_repo_index(client, r_minor, &info, P3MRepo::Cran);
         let bioc_fut = async {
             match bioc_release {
-                Some(release) => fetch_repo_index(client, r_minor, &info, P3MRepo::Bioc(release))
-                    .await
-                    .ok(),
-                None => None,
+                // BLOCK fix: Bioconductor doesn't serve Linux binaries — its
+                // /packages/<release>/bioc/src/contrib/PACKAGES.gz is the
+                // SOURCE index. Without this guard, Linux projects with Bioc
+                // deps would register source tarball URLs in the binary index,
+                // and `install_binary_package` would extract a source tree
+                // (R/, src/, no libs/*.so) into the library — silently broken
+                // installs that fail at `library()` time.
+                Some(release) if !info.is_linux => {
+                    fetch_repo_index(client, r_minor, &info, P3MRepo::Bioc(release))
+                        .await
+                        .ok()
+                }
+                _ => None,
             }
         };
         let (cran_result, bioc_result) = tokio::join!(cran_fut, bioc_fut);
@@ -280,7 +289,11 @@ struct PlatformInfo {
 /// `posit_distro_slug` should be the same slug uvr uses for the R install
 /// URL (`ubuntu-2204`, `debian-12`, `rhel-9`, …); we translate it to PPM's
 /// codename system (`jammy`, `bookworm`, `rhel9`) here.
-fn platform_info(platform: Platform, posit_distro_slug: Option<&str>) -> Option<PlatformInfo> {
+fn platform_info(
+    platform: Platform,
+    posit_distro_slug: Option<&str>,
+    r_minor: &str,
+) -> Option<PlatformInfo> {
     match platform {
         Platform::MacOsArm64 => Some(PlatformInfo {
             url_segment: "macosx/big-sur-arm64".to_string(),
@@ -317,10 +330,11 @@ fn platform_info(platform: Platform, posit_distro_slug: Option<&str>) -> Option<
             } else {
                 "aarch64"
             };
-            // R prints UA as `R (<ver> <triple> <arch> <os>-gnu)`. We use a
-            // current R minor; PPM only checks for "R " prefix and a Linux
-            // arch in the triple — exact ver isn't material.
-            let user_agent = format!("R (4.5.3 {arch}-pc-linux-gnu {arch} linux-gnu)");
+            // R prints UA as `R (<ver> <triple> <arch> <os>-gnu)`. PPM
+            // currently sniffs the "R " prefix and the linux-gnu marker;
+            // pass the actual r_minor so the UA stays plausibly current
+            // if PPM tightens its sniffing rules.
+            let user_agent = format!("R ({r_minor}.0 {arch}-pc-linux-gnu {arch} linux-gnu)");
             Some(PlatformInfo {
                 url_segment: String::new(),
                 cache_key: format!("linux-{codename}-{arch}"),
@@ -473,15 +487,15 @@ Version: 1.1.4
 
     #[test]
     fn platform_info_macos_arm64() {
-        let info = platform_info(Platform::MacOsArm64, None).unwrap();
+        let info = platform_info(Platform::MacOsArm64, None, "4.5").unwrap();
         assert_eq!(info.url_segment, "macosx/big-sur-arm64");
         assert_eq!(info.pkg_ext, "tgz");
         assert!(!info.is_linux);
     }
 
     #[test]
     fn platform_info_windows() {
-        let info = platform_info(Platform::WindowsX86_64, None).unwrap();
+        let info = platform_info(Platform::WindowsX86_64, None, "4.5").unwrap();
         assert_eq!(info.url_segment, "windows");
         assert_eq!(info.pkg_ext, "zip");
         assert!(!info.is_linux);
@@ -490,8 +504,8 @@ Version: 1.1.4
     #[test]
     fn platform_info_linux_supported_distro() {
         // #55: Linux gets a binary index when the distro maps to a PPM codename.
-        let info =
-            platform_info(Platform::LinuxX86_64, Some("ubuntu-2204")).expect("ubuntu-2204 covered");
+        let info = platform_info(Platform::LinuxX86_64, Some("ubuntu-2204"), "4.5")
+            .expect("ubuntu-2204 covered");
         assert!(info.is_linux);
         assert_eq!(info.linux_codename.as_deref(), Some("jammy"));
         assert_eq!(info.pkg_ext, "tar.gz");
@@ -504,10 +518,10 @@ Version: 1.1.4
     #[test]
     fn platform_info_linux_unknown_distro_none() {
         // Slackware isn't on PPM — falls back to None (source-only).
-        assert!(platform_info(Platform::LinuxX86_64, Some("slackware-15")).is_none());
-        assert!(platform_info(Platform::LinuxArm64, Some("nixos-2411")).is_none());
+        assert!(platform_info(Platform::LinuxX86_64, Some("slackware-15"), "4.5").is_none());
+        assert!(platform_info(Platform::LinuxArm64, Some("nixos-2411"), "4.5").is_none());
         // Without a slug, we can't translate.
-        assert!(platform_info(Platform::LinuxX86_64, None).is_none());
+        assert!(platform_info(Platform::LinuxX86_64, None, "4.5").is_none());
     }
 
     #[test]
@@ -552,6 +566,37 @@ Version: 1.1.4
         assert!(ppm_linux_codename("alpine-3.21").is_none());
     }
 
+    #[test]
+    fn ppm_codename_rhel_centos_naming_discontinuity() {
+        // RHEL 9 broke the centosN naming convention because CentOS Stream
+        // replaced CentOS Linux. Pin both the symmetric and the asymmetric
+        // cases since they're the highest-value regression anchors when
+        // someone edits the match table.
+        assert_eq!(ppm_linux_codename("rhel-7"), Some("centos7"));
+        assert_eq!(ppm_linux_codename("centos-7"), Some("centos7"));
+        assert_eq!(ppm_linux_codename("rhel-8"), Some("centos8"));
+        assert_eq!(ppm_linux_codename("centos-8"), Some("centos8"));
+        assert_eq!(ppm_linux_codename("rhel-9"), Some("rhel9"));
+        assert_eq!(ppm_linux_codename("centos-9"), Some("rhel9"));
+    }
+
+    #[test]
+    fn linux_user_agent_uses_r_minor_not_hardcoded() {
+        // Reviewer flagged the prior hardcoded "4.5.3" UA as a future
+        // staleness risk if PPM tightens its UA matching. r_minor flows
+        // through and shows up in the UA — verify both arch variants.
+        let info_x86 =
+            platform_info(Platform::LinuxX86_64, Some("ubuntu-2204"), "4.6").expect("supported");
+        let ua = info_x86.user_agent.expect("Linux gets a UA");
+        assert!(ua.starts_with("R (4.6.0 x86_64-pc-linux-gnu"), "got {ua}");
+        assert!(ua.contains("linux-gnu"));
+
+        let info_arm =
+            platform_info(Platform::LinuxArm64, Some("debian-12"), "4.5").expect("supported");
+        let ua = info_arm.user_agent.expect("Linux gets a UA");
+        assert!(ua.starts_with("R (4.5.0 aarch64-pc-linux-gnu"), "got {ua}");
+    }
+
     #[test]
     fn empty_index() {
         let idx = P3MBinaryIndex::empty();

crates/uvr-core/src/registry/p3m.rs

@@ -421,8 +421,34 @@ pub async fn install_from_lockfile(
         is_binary: bool,
     }
 
+    // Linux-specific UA. PPM serves source vs. binary at the same URL, gated
+    // by the User-Agent. The index fetch in `P3MBinaryIndex::fetch` sets this
+    // UA on its own request; we need to set the same UA on the per-package
+    // tarball downloads or PPM serves source for those even though the index
+    // told us they were binary (would extract a source tree as if it were a
+    // binary package — silent breakage). Built once and attached per-spec
+    // below.
+    let detected_platform = Platform::detect();
+    let linux_ppm_user_agent: Option<String> = match detected_platform {
+        Ok(p) if matches!(p, Platform::LinuxX86_64 | Platform::LinuxArm64) => {
+            let slug = uvr_core::r_version::downloader::detect_posit_distro_slug();
+            uvr_core::registry::p3m::ppm_linux_codename(&slug).map(|_| {
+                let arch = if matches!(p, Platform::LinuxX86_64) {
+                    "x86_64"
+                } else {
+                    "aarch64"
+                };
+                // R version is the project's actual minor, not a hardcoded
+                // string — future-proofs the UA against PPM tightening its
+                // sniffing rules.
+                format!("R ({r_minor_str}.0 {arch}-pc-linux-gnu {arch} linux-gnu)")
+            })
+        }
+        _ => None,
+    };
+
     let plans: Vec<PkgPlan> = if !cache_misses.is_empty() {
-        let p3m = match Platform::detect() {
+        let p3m = match detected_platform {
             Ok(platform) => {
                 // #55: Linux gets binaries via PPM's `__linux__/<codename>` URL
                 // space, gated by a User-Agent the registry sets internally.
@@ -516,6 +542,14 @@ pub async fn install_from_lockfile(
                 url: &p.url,
                 fallback_url: p.fallback_url.as_deref(),
                 is_binary: p.is_binary,
+                // Attach the R-shaped UA only for Linux PPM binary URLs so
+                // PPM serves the binary tarball, not source. macOS / Windows
+                // / source-fallback paths leave it None (default uvr UA).
+                user_agent: if p.is_binary && p.url.contains("/__linux__/") {
+                    linux_ppm_user_agent.as_deref()
+                } else {
+                    None
+                },
             })
             .collect();