From 36f7672c6f360c5d5143b54797b1432f4bf87ff3 Mon Sep 17 00:00:00 2001
From: SysAdmin <sysadmin@silverlabs.uk>
Date: Sun, 26 Apr 2026 04:49:34 +0100
Subject: [PATCH] fix(linux/build): make builder image actually build (M1.1)

- Pin debian:bookworm-slim by real digest (resolved 2026-04-26).
- Two-phase install: seed ca-certificates from the default mirror first
  so HTTPS to snapshot.debian.org works, then swap to the pinned snapshot
  for the toolchain itself. Slim images don't ship the CA bundle, so the
  one-shot pinned-source-only install would deadlock on cert verification.

Validated locally: image builds clean, 302MB, all live-build / debootstrap /
mksquashfs / xorriso / diffoscope-minimal present.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 linux/build/docker/Dockerfile.builder | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/linux/build/docker/Dockerfile.builder b/linux/build/docker/Dockerfile.builder
index 1a64547..6bbecb8 100644
--- a/linux/build/docker/Dockerfile.builder
+++ b/linux/build/docker/Dockerfile.builder
@@ -17,10 +17,10 @@
 # check, commit all four changes together.
 
 # debian:bookworm-slim — pinned by digest.
-# TODO(M1.1): replace placeholder digest with the actual one resolved at
-# image-build time. The placeholder is intentionally invalid so a build that
-# forgets to update it fails fast rather than silently using "latest".
-FROM debian:bookworm-slim@sha256:0000000000000000000000000000000000000000000000000000000000000000
+# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`.
+# Bumping this requires rebuilding + pushing the silvermetal-builder image
+# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit.
+FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
 
 # Reproducibility-friendly apt configuration.
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -35,13 +35,21 @@ ENV DEBIAN_FRONTEND=noninteractive \
 ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
 ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
 
+# Two-phase install:
+#   1. Use the base image's default mirror to seed ca-certificates so HTTPS
+#      to snapshot.debian.org works. (slim images don't ship CA bundles.)
+#   2. Pin sources.list to the snapshot and install the actual toolchain.
+# The first phase touches deb.debian.org without a pin; that's fine because
+# nothing it installs ends up in the final ISO — only the toolchain installed
+# in phase 2 does, and that is fully snapshot-pinned.
 RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends ca-certificates; \
     rm -f /etc/apt/sources.list.d/*; \
     printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
     printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
     apt-get -o Acquire::Check-Valid-Until=false update; \
     apt-get install -y --no-install-recommends \
-        ca-certificates \
         debootstrap \
         diffoscope-minimal \
         dosfstools \