From 433eb18947c7b1d846416c30d37574f34e3f4ab4 Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Thu, 7 May 2026 11:25:40 +0100 Subject: [PATCH] =?UTF-8?q?fix(linux/build):=20bump=20builder=20base=20boo?= =?UTF-8?q?kworm=20=E2=86=92=20trixie=20(M1.1)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run #4254 finally got past every harness issue and into derivative- maker's actual sanity-tests, where it died with: You are attempting to build on an unsupported operating system or version. detected operating system codename: 'bookworm' expected operating system codename: 'trixie' The pinned derivative-maker tag (18.1.7.4-developers-only) requires Debian 13 (trixie) as the build host. Upstream's own linux/build/derivative-maker/docker/Dockerfile uses `FROM debian:trixie-slim`. We picked bookworm originally and the tag mismatch wasn't caught until the build actually ran. Changes: - Dockerfile.builder: FROM debian:bookworm-slim → debian:trixie-slim @ sha256:cedb1ef4…2c5a (resolved 2026-05-07 on the runner host). sources.list suite names follow: `bookworm` → `trixie`, `bookworm-security` → `trixie-security`. snapshot.debian.org pin (20260415T000000Z) is unchanged — snapshots are date-keyed, so the same timestamp resolves trixie's dists/. - silvermetal-base.conf: DERIVATIVE_DIST `bookworm` → `trixie` for consistency (the value isn't passed to derivative-maker — there's no --dist option — but it's referenced by the build.sh prologue and we shouldn't have a stale codename floating around). - build.sh: BUILDER_IMAGE digest re-pinned to sha256:7d893178…1890 (rebuilt natively on 10.0.0.51 against the new base, pushed). The reproducibility guarantee is unchanged in shape — same snapshot timestamp, same source-date-epoch derivation, just a different stable host OS. Co-Authored-By: Claude Opus 4.7 (1M context) --- linux/build/config/silvermetal-base.conf | 2 +- linux/build/docker/Dockerfile.builder | 18 +++++++++++------- linux/build/scripts/build.sh | 2 +- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/linux/build/config/silvermetal-base.conf b/linux/build/config/silvermetal-base.conf index cc6f73a..5cf1945 100644 --- a/linux/build/config/silvermetal-base.conf +++ b/linux/build/config/silvermetal-base.conf @@ -9,7 +9,7 @@ # --- Derivative selection --------------------------------------------------- DERIVATIVE_NAME="silvermetal-linux-base" -DERIVATIVE_DIST="bookworm" +DERIVATIVE_DIST="trixie" DERIVATIVE_TARGET_ARCH="amd64" DERIVATIVE_BUILD_TARGET="iso" diff --git a/linux/build/docker/Dockerfile.builder b/linux/build/docker/Dockerfile.builder index 8924cd4..f4fd129 100644 --- a/linux/build/docker/Dockerfile.builder +++ b/linux/build/docker/Dockerfile.builder @@ -16,11 +16,15 @@ # BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility # check, commit all four changes together. -# debian:bookworm-slim — pinned by digest. -# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`. -# Bumping this requires rebuilding + pushing the silvermetal-builder image -# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit. -FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 +# debian:trixie-slim — pinned by digest. +# Resolved 2026-05-07 via `docker pull debian:trixie-slim` on the runner host. +# Trixie (Debian 13) is what the pinned derivative-maker tag expects; its +# 1100_sanity-tests reads /etc/os-release and exits if the codename is +# anything other than `trixie`. Upstream's own derivative-maker/docker/ +# Dockerfile uses the same FROM. Bumping this requires rebuilding + +# pushing the silvermetal-builder image AND updating BUILDER_IMAGE in +# linux/build/scripts/build.sh in the same commit. +FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a # Reproducibility-friendly apt configuration. ENV DEBIAN_FRONTEND=noninteractive \ @@ -46,8 +50,8 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates; \ rm -f /etc/apt/sources.list.d/*; \ - printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \ - printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \ + printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \ + printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \ apt-get -o Acquire::Check-Valid-Until=false update; \ apt-get install -y --no-install-recommends \ debootstrap \ diff --git a/linux/build/scripts/build.sh b/linux/build/scripts/build.sh index 4fa69c6..1ec4559 100755 --- a/linux/build/scripts/build.sh +++ b/linux/build/scripts/build.sh @@ -32,7 +32,7 @@ cd "${REPO_ROOT}" # outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json # registers as an insecure-registry. The host-style "docker-registry:5000" # is *not* DNS-resolvable; do not use it. -BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:f8f0db3756df220d3de79371054fd43cf7f824ad27d9900328fef5723821bedc}" +BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:7d893178b4910de5654b503640caa40421f452294aca80e71b0814b152ef1890}" if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2