<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Open-Source on True Work Office | AI-Agent Research on Academic Integrity and AI Ethics</title><link>https://trueworkoffice.com/tags/open-source/</link><description>Recent content in Open-Source on True Work Office | AI-Agent Research on Academic Integrity and AI Ethics</description><generator>Hugo</generator><language>en-gb</language><lastBuildDate>Sat, 11 Jul 2026 09:00:00 +0000</lastBuildDate><atom:link href="https://trueworkoffice.com/tags/open-source/index.xml" rel="self" type="application/rss+xml"/><item><title>safe-crontab: the guarded crontab installer we wish we'd had</title><link>https://trueworkoffice.com/blog/2026-07-11-safe-crontab-launch/</link><pubDate>Sat, 11 Jul 2026 09:00:00 +0000</pubDate><guid>https://trueworkoffice.com/blog/2026-07-11-safe-crontab-launch/</guid><description>&lt;p&gt;&lt;img class="content-img lightbox-img" src="https://trueworkoffice.com/images/hero/2026-07-11-safe-crontab-launch.png" alt="safe-crontab: the guarded crontab installer we wish we&amp;rsquo;d had" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;We are releasing a small tool called safe-crontab, a guarded, drop-in replacement for &lt;code&gt;crontab &amp;lt;file&amp;gt;&lt;/code&gt;. It is open source under the MIT licence, written by Zak Fielding, and the code is now up at &lt;a href="https://github.com/zaktrue/safe-crontab"&gt;github.com/zaktrue/safe-crontab&lt;/a&gt;.&lt;/p&gt;
&lt;div class="tldr" role="note"&gt;&lt;strong&gt;Key points&lt;/strong&gt;&lt;ul&gt;
&lt;li&gt;safe-crontab wraps a crontab install with a lock, a timestamped backup, a shrink guard, an optional syntax check and a best-effort readback verification.&lt;/li&gt;
&lt;li&gt;It was built after an automated agent replaced an entire 363-line crontab with two new lines in a single unseeded install, with no warning and no backup taken.&lt;/li&gt;
&lt;li&gt;The shrink guard, the check that would have caught that specific incident, refuses an install when the new file has far fewer lines than the current one, unless the caller passes `--force-shrink`.&lt;/li&gt;
&lt;li&gt;The final verification step is advisory only: a hash mismatch on readback is logged as a warning, not treated as a failure, because some crontab implementations rewrite whitespace on save.&lt;/li&gt;
&lt;li&gt;It is a Linux-first tool built against a GNU userland and has not been tested on macOS or the BSDs.&lt;/li&gt;
&lt;li&gt;It is released under the MIT licence at github.com/zaktrue/safe-crontab.&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;p&gt;Plain &lt;code&gt;crontab &amp;lt;file&amp;gt;&lt;/code&gt; has no guard rails at all. It replaces the entire schedule in one shot, takes no backup, and gives no warning if the new file happens to be far smaller than the one it is about to overwrite. We know that because it happened to us.&lt;/p&gt;</description><content:encoded>&lt;p&gt;&lt;img class="content-img lightbox-img" src="https://trueworkoffice.com/images/hero/2026-07-11-safe-crontab-launch.png" alt="safe-crontab: the guarded crontab installer we wish we&amp;rsquo;d had" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;We are releasing a small tool called safe-crontab, a guarded, drop-in replacement for &lt;code&gt;crontab &amp;lt;file&amp;gt;&lt;/code&gt;. It is open source under the MIT licence, written by Zak Fielding, and the code is now up at &lt;a href="https://github.com/zaktrue/safe-crontab"&gt;github.com/zaktrue/safe-crontab&lt;/a&gt;.&lt;/p&gt;
&lt;div class="tldr" role="note"&gt;&lt;strong&gt;Key points&lt;/strong&gt;&lt;ul&gt;
&lt;li&gt;safe-crontab wraps a crontab install with a lock, a timestamped backup, a shrink guard, an optional syntax check and a best-effort readback verification.&lt;/li&gt;
&lt;li&gt;It was built after an automated agent replaced an entire 363-line crontab with two new lines in a single unseeded install, with no warning and no backup taken.&lt;/li&gt;
&lt;li&gt;The shrink guard, the check that would have caught that specific incident, refuses an install when the new file has far fewer lines than the current one, unless the caller passes `--force-shrink`.&lt;/li&gt;
&lt;li&gt;The final verification step is advisory only: a hash mismatch on readback is logged as a warning, not treated as a failure, because some crontab implementations rewrite whitespace on save.&lt;/li&gt;
&lt;li&gt;It is a Linux-first tool built against a GNU userland and has not been tested on macOS or the BSDs.&lt;/li&gt;
&lt;li&gt;It is released under the MIT licence at github.com/zaktrue/safe-crontab.&lt;/li&gt;
&lt;/ul&gt;&lt;/div&gt;
&lt;p&gt;Plain &lt;code&gt;crontab &amp;lt;file&amp;gt;&lt;/code&gt; has no guard rails at all. It replaces the entire schedule in one shot, takes no backup, and gives no warning if the new file happens to be far smaller than the one it is about to overwrite. We know that because it happened to us.&lt;/p&gt;
&lt;p&gt;An automated agent needed to add a couple of lines to a crontab. It wrote a small file containing just those new lines and ran &lt;code&gt;crontab&lt;/code&gt; on it, without first pulling the existing schedule down with &lt;code&gt;crontab -l&lt;/code&gt; and adding to that. Since plain &lt;code&gt;crontab&lt;/code&gt; does not add, it replaces, the result was not two extra lines, it was every previously scheduled job gone at once: 363 lines, deleted in a single command, with no confirmation prompt and no backup taken by &lt;code&gt;crontab&lt;/code&gt; itself. We recovered everything from an independent backup that happened to exist for unrelated reasons, so nothing was actually lost. But that recovery was luck, not anything the tooling had actually guaranteed, and the incident should never have been possible in the first place.&lt;/p&gt;
&lt;p&gt;safe-crontab is what we built the next day, with one aim: make that specific mistake, and the general shape of mistake it belongs to, get refused before it happens rather than tidied up after. Running &lt;code&gt;safe-crontab &amp;lt;file&amp;gt;&lt;/code&gt; performs five steps in order. It locks the whole operation with &lt;code&gt;flock&lt;/code&gt; so two installs cannot race each other. It backs up the current live crontab to a timestamped file before anything else happens. It checks the new file against a shrink guard: if it has far fewer lines than a configurable share of the current crontab, the install is refused outright, unless &lt;code&gt;--force-shrink&lt;/code&gt; is passed for a genuinely deliberate large removal. Where the local &lt;code&gt;crontab&lt;/code&gt; supports a dry-run flag, it checks the new file&amp;rsquo;s syntax before installing anything. Finally it installs the file and reads it back for a best-effort comparison against the source.&lt;/p&gt;
&lt;p&gt;That last step is worth being honest about, because it is easy to oversell. The readback comparison is advisory, not a guarantee. Some crontab implementations quietly rewrite whitespace, blank lines or comments when they store a schedule, so a correct install can still produce a hash that does not quite match the source file, and treating that as a failure would just produce false alarms. A mismatch is logged as a warning; a match is never treated as proof either. Anyone who needs real certainty should run &lt;code&gt;crontab -l&lt;/code&gt; themselves once safe-crontab finishes. We would rather say that plainly than claim a level of assurance the tool cannot actually back up.&lt;/p&gt;
&lt;p&gt;The tool is Linux-first, built and tested against a GNU userland: it needs &lt;code&gt;bash&lt;/code&gt;, &lt;code&gt;flock&lt;/code&gt;, &lt;code&gt;sha256sum&lt;/code&gt; and GNU &lt;code&gt;xargs&lt;/code&gt;. It has not been tested on macOS or the BSDs, which lack some of those by default, so treat it as untested there rather than assume it will just work.&lt;/p&gt;
&lt;p&gt;safe-crontab is for anyone letting automation, a script, or an agent touch crontab unattended, which is exactly the situation that caused our incident: a human can be careful once and distracted the next time, but a script has no notion of caution beyond whatever is actually enforced in the code path it calls. It is just as useful for a person editing a crontab by hand who would rather have a backup taken automatically than remember to take one. We are not claiming it will stop every possible mistake. We are saying it refuses the one specific shape of mistake that nearly cost us a working schedule, and we would rather ship something honest about its limits than something that overpromises. It is free, it is MIT licensed, and we would be glad to see it get some use.&lt;/p&gt;</content:encoded></item></channel></rss>