diff --git a/linux/build/config/silvermetal-base.conf b/linux/build/config/silvermetal-base.conf
index cc6f73a..5cf1945 100644
--- a/linux/build/config/silvermetal-base.conf
+++ b/linux/build/config/silvermetal-base.conf
@@ -9,7 +9,7 @@
 
 # --- Derivative selection ---------------------------------------------------
 DERIVATIVE_NAME="silvermetal-linux-base"
-DERIVATIVE_DIST="bookworm"
+DERIVATIVE_DIST="trixie"
 DERIVATIVE_TARGET_ARCH="amd64"
 DERIVATIVE_BUILD_TARGET="iso"
 
diff --git a/linux/build/docker/Dockerfile.builder b/linux/build/docker/Dockerfile.builder
index 8924cd4..f4fd129 100644
--- a/linux/build/docker/Dockerfile.builder
+++ b/linux/build/docker/Dockerfile.builder
@@ -16,11 +16,15 @@
 # BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility
 # check, commit all four changes together.
 
-# debian:bookworm-slim — pinned by digest.
-# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`.
-# Bumping this requires rebuilding + pushing the silvermetal-builder image
-# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit.
-FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
+# debian:trixie-slim — pinned by digest.
+# Resolved 2026-05-07 via `docker pull debian:trixie-slim` on the runner host.
+# Trixie (Debian 13) is what the pinned derivative-maker tag expects; its
+# 1100_sanity-tests reads /etc/os-release and exits if the codename is
+# anything other than `trixie`. Upstream's own derivative-maker/docker/
+# Dockerfile uses the same FROM. Bumping this requires rebuilding +
+# pushing the silvermetal-builder image AND updating BUILDER_IMAGE in
+# linux/build/scripts/build.sh in the same commit.
+FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a
 
 # Reproducibility-friendly apt configuration.
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -46,8 +50,8 @@ RUN set -eux; \
     apt-get update; \
     apt-get install -y --no-install-recommends ca-certificates; \
     rm -f /etc/apt/sources.list.d/*; \
-    printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
-    printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
+    printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
+    printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
     apt-get -o Acquire::Check-Valid-Until=false update; \
     apt-get install -y --no-install-recommends \
         debootstrap \
diff --git a/linux/build/scripts/build.sh b/linux/build/scripts/build.sh
index 4fa69c6..1ec4559 100755
--- a/linux/build/scripts/build.sh
+++ b/linux/build/scripts/build.sh
@@ -32,7 +32,7 @@ cd "${REPO_ROOT}"
 # outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
 # registers as an insecure-registry. The host-style "docker-registry:5000"
 # is *not* DNS-resolvable; do not use it.
-BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:f8f0db3756df220d3de79371054fd43cf7f824ad27d9900328fef5723821bedc}"
+BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:7d893178b4910de5654b503640caa40421f452294aca80e71b0814b152ef1890}"
 
 if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
     echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2