diff --git a/bin/cron/osh-backup-acl-keys.sh b/bin/cron/osh-backup-acl-keys.sh
index 3258f00..059a5a8 100755
--- a/bin/cron/osh-backup-acl-keys.sh
+++ b/bin/cron/osh-backup-acl-keys.sh
@@ -177,8 +177,8 @@ fi
 # push to remote if needed
 if [ -n "$PUSH_REMOTE" ] && [ "$encryption_worked" = 1 ] && [ -r "$tarfile.gpg" ] ; then
     _log "Pushing backup file ($tarfile.gpg) remotely..."
-    # shellcheck disable=SC2086
     set +e
+    # shellcheck disable=SC2086
     scp $PUSH_OPTIONS "$tarfile.gpg" "$PUSH_REMOTE"; ret=$?
     set -e
     if [ $ret -eq 0 ]; then
diff --git a/bin/cron/osh-rotate-ttyrec.sh b/bin/cron/osh-rotate-ttyrec.sh
index 91985ea..5e7a830 100755
--- a/bin/cron/osh-rotate-ttyrec.sh
+++ b/bin/cron/osh-rotate-ttyrec.sh
@@ -21,7 +21,7 @@ if [ "$1" = "--big-only" ]; then
             tokill="$tokill $pid"
             (( ++nb ))
         fi
-    done < <(lsof -a -n -c ttyrec 2>/dev/null -- /home/ 2>/dev/null)
+    done < <(lsof -a -n -c ttyrec -- /home/ 2>/dev/null)
     if [ -n "$tokill" ]; then
         _log "Rotating $nb big ttyrec files..."
         # add || true to avoid script termination due to TOCTTOU and set -e
diff --git a/bin/dev/shell-check.sh b/bin/dev/shell-check.sh
index 96207c7..588f113 100755
--- a/bin/dev/shell-check.sh
+++ b/bin/dev/shell-check.sh
@@ -5,38 +5,71 @@ basedir=$(readlink -f "$(dirname "$0")"/../..)
 # shellcheck source=lib/shell/functions.inc
 . "$basedir"/lib/shell/functions.inc
 
-unset dockertag
-if [ "$1" = "docker" ]; then
-    dockertag=v0.7.1
-fi
-if [ -n "$2" ]; then
-    dockertag="$2"
+cd "$basedir" || exit 254
+
+# $1:
+# - docker, use shellcheck's docker
+# - system, use any installed shellcheck, this is the default if not specified
+# - anything_else, attempt to use shellcheck's docker with this tag
+
+# $2:
+# - (empty), check all known shell files
+# - anything_else, check only this file
+
+if [ "${1:-system}" = system ]; then
+    unset dockertag
+elif [ "$1" = docker ]; then
+    dockertag=v0.8.0
+else
+    dockertag="$1"
 fi
 
-(( fails=0 ))
-if [ -n "$dockertag" ]; then
+shellcheck_opts="-Calways -W 0 -x -o deprecate-which,avoid-nullary-conditions,add-default-case"
+
+run_shellcheck() {
+    local ret
+    action_detail "${BLUE}$1${NOC}"
+    if [ -n "${dockertag:-}" ]; then
+        # shellcheck disable=SC2086
+        docker run --rm -v "$PWD:/mnt" "koalaman/shellcheck:$dockertag" $shellcheck_opts "$1"; ret=$?
+    else
+        # shellcheck disable=SC2086
+        shellcheck $shellcheck_opts "$1"; ret=$?
+    fi
+    return $ret
+}
+
+(( fails=0 )) || true
+if [ -n "${dockertag:-}" ]; then
     action_doing "Checking shell files syntax using shellcheck:$dockertag docker"
 else
-    action_doing "Checking shell files syntax"
+    action_doing "Checking shell files syntax using system shellcheck"
 fi
 
-cd "$basedir" || exit 254
-for i in $(find . -type f ! -name "*.swp" -print0 | xargs -r0 grep -l 'set filetype=sh')
-do
-    action_detail "${BLUE}$i${NOC}"
-    if [ -n "$dockertag" ]; then
-        docker run --rm -v "$PWD:/mnt" "koalaman/shellcheck:$dockertag" -Calways -W 0 -x -o deprecate-which,avoid-nullary-conditions,add-default-case "$i"; ret=$?
+if [ -z "${2:-}" ]; then
+    for i in $(find . -type f ! -name "*.swp" ! -name "*.orig" ! -name "*.rej" -print0 | xargs -r0 grep -l 'set filetype=sh')
+    do
+        run_shellcheck "$i"; ret=$?
+        if [ $ret != 0 ]; then
+            (( fails++ ))
+        fi
+        if [ $ret = 3 ] || [ $ret = 4 ]; then
+            echo "${RED}WARNING: your shellcheck seems too old (code $ret), please upgrade it or use a more recent docker tag!${NOC}" >&2
+        fi
+    done
+
+    if [ "$fails" -ne 0 ] ; then
+        action_error "Got $fails errors"
     else
-        shellcheck -x "$i"; ret=$?
+        action_done "success"
     fi
-    if [ "$ret" != 0 ]; then
-        (( fails++ ))
-    fi
-done
-
-if [ "$fails" -ne 0 ] ; then
-    action_error "Got $fails errors"
+    exit "$fails"
 else
-    action_done "success"
+    run_shellcheck "$2"; ret=$?
+    if [ "$ret" -ne 0 ] ; then
+        action_error
+    else
+        action_done
+    fi
+    exit $ret
 fi
-exit "$fails"
diff --git a/lib/shell/functions.inc b/lib/shell/functions.inc
index da07956..860122c 100644
--- a/lib/shell/functions.inc
+++ b/lib/shell/functions.inc
@@ -14,9 +14,9 @@ LINUX_DISTRO=unknown
 DISTRO_VERSION=''
 DISTRO_LIKE=''
 if [ -e /etc/os-release ]; then
-    LINUX_DISTRO=$(grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"')
-    DISTRO_LIKE=$(grep '^ID_LIKE=' /etc/os-release | cut -d= -f2 | tr -d '"')
-    DISTRO_VERSION=$(grep '^VERSION_ID=' /etc/os-release | cut -d= -f2 | tr -d '"')
+    LINUX_DISTRO=$(grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"' || true)
+    DISTRO_LIKE=$(grep '^ID_LIKE=' /etc/os-release | cut -d= -f2 | tr -d '"' || true)
+    DISTRO_VERSION=$(grep '^VERSION_ID=' /etc/os-release | cut -d= -f2 | tr -d '"' || true)
 fi
 if [ -z "$LINUX_DISTRO" ] || [ -z "$DISTRO_VERSION" ]; then
     if command -v lsb_release >/dev/null 2>&1; then
@@ -24,22 +24,21 @@ if [ -z "$LINUX_DISTRO" ] || [ -z "$DISTRO_VERSION" ]; then
         DISTRO_VERSION=$(lsb_release -sr)
     elif [ -e /etc/debian_version ]; then
         LINUX_DISTRO=debian
-        DISTRO_VERSION=$(cat /etc/debian_version)
-        # special case while bullseye is not yet released
-        if [ "$DISTRO_VERSION" = "bullseye/sid" ]; then
-            DISTRO_VERSION=11
-        fi
+        DISTRO_VERSION=$(< /etc/debian_version)
     elif [ -e /etc/redhat-release ]; then
         LINUX_DISTRO=redhat
     fi
 fi
-if [ "$DISTRO_VERSION" = "buster/sid" ]; then
-    DISTRO_VERSION=10
+
+# special case while bookworm is not yet released
+if [ "$DISTRO_VERSION" = "bookworm/sid" ]; then
+    DISTRO_VERSION=12
 fi
+
 LINUX_DISTRO=$(echo "$LINUX_DISTRO" | tr '[:upper:]' '[:lower:]' | tr -d ' ')
 # shellcheck disable=SC2034
 DISTRO_VERSION_MAJOR=$(echo "$DISTRO_VERSION" | grep -Eo '^[0-9]+' || true)
-[ -z "$DISTRO_LIKE" ] && DISTRO_LIKE="$LINUX_DISTRO"
+: "${DISTRO_LIKE:=$LINUX_DISTRO}"
 
 # no longer needed, but keep if for a few versions so that non-restarted daemons are still happy
 # shellcheck disable=SC2034
diff --git a/lib/shell/install.inc b/lib/shell/install.inc
index 1a35278..e4bd942 100644
--- a/lib/shell/install.inc
+++ b/lib/shell/install.inc
@@ -228,7 +228,7 @@ install_main() {
             r) action_package rpm; exit 0;;
             a) action_auto;        exit 0;;
             h) install_usage;      exit 0;;
-            ?) echo "Invalid option: -$OPTARG"; usage; exit 1;;
+            *) echo "Invalid option: -$OPTARG"; usage; exit 1;;
         esac
     done
     install_usage
diff --git a/tests/functional/fake_ttyrec.sh b/tests/functional/fake_ttyrec.sh
index 065d954..1ea0c74 100755
--- a/tests/functional/fake_ttyrec.sh
+++ b/tests/functional/fake_ttyrec.sh
@@ -10,4 +10,4 @@ while [ "$1" != "--" ]; do
     shift
 done
 shift
-eval "$@"
+eval "$*"
diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh
index 460472f..fe0c612 100755
--- a/tests/functional/launch_tests_on_instance.sh
+++ b/tests/functional/launch_tests_on_instance.sh
@@ -612,7 +612,7 @@ runtests()
 }
 
 COUNTONLY=0
-echo === running unit tests ===
+echo '=== running unit tests ==='
 # a while read loop doesn't work well here:
 # shellcheck disable=SC2044
 for f in $(find "$basedir/tests/unit/" -mindepth 1 -maxdepth 1 -type f -name "*.pl" -print)
@@ -627,11 +627,11 @@ done
 
 COUNTONLY=1
 testno=0
-echo === counting functional tests ===
+echo '=== counting functional tests ==='
 runtests
 testcount=$testno
 
-echo === will run $testcount functional tests ===
+echo "=== will run $testcount functional tests ==="
 COUNTONLY=0
 testno=0
 runtests