fix(linux/build): bump builder base bookworm → trixie (M1.1)

Run #4254 finally got past every harness issue and into derivative-
maker's actual sanity-tests, where it died with:

    You are attempting to build on an unsupported operating system or version.
    detected operating system codename: 'bookworm'
    expected operating system codename: 'trixie'

The pinned derivative-maker tag (18.1.7.4-developers-only) requires
Debian 13 (trixie) as the build host. Upstream's own
linux/build/derivative-maker/docker/Dockerfile uses
`FROM debian:trixie-slim`. We picked bookworm originally and the tag
mismatch wasn't caught until the build actually ran.

Changes:

- Dockerfile.builder: FROM debian:bookworm-slim →
  debian:trixie-slim @ sha256:cedb1ef4…2c5a (resolved 2026-05-07 on
  the runner host). sources.list suite names follow:
  `bookworm` → `trixie`, `bookworm-security` → `trixie-security`.
  snapshot.debian.org pin (20260415T000000Z) is unchanged — snapshots
  are date-keyed, so the same timestamp resolves trixie's dists/.
- silvermetal-base.conf: DERIVATIVE_DIST `bookworm` → `trixie` for
  consistency (the value isn't passed to derivative-maker — there's
  no --dist option — but it's referenced by the build.sh prologue
  and we shouldn't have a stale codename floating around).
- build.sh: BUILDER_IMAGE digest re-pinned to sha256:7d893178…1890
  (rebuilt natively on 10.0.0.51 against the new base, pushed).

The reproducibility guarantee is unchanged in shape — same snapshot
timestamp, same source-date-epoch derivation, just a different stable
host OS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

linux/build/config/silvermetal-base.conf

@@ -9,7 +9,7 @@
 
 # --- Derivative selection ---------------------------------------------------
 DERIVATIVE_NAME="silvermetal-linux-base"
-DERIVATIVE_DIST="bookworm"
+DERIVATIVE_DIST="trixie"
 DERIVATIVE_TARGET_ARCH="amd64"
 DERIVATIVE_BUILD_TARGET="iso"
 

linux/build/docker/Dockerfile.builder

@@ -16,11 +16,15 @@
 # BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility
 # check, commit all four changes together.
 
-# debian:bookworm-slim — pinned by digest.
-# Resolved 2026-04-26 via `docker pull debian:bookworm-slim`.
-# Bumping this requires rebuilding + pushing the silvermetal-builder image
-# AND updating BUILDER_IMAGE in linux/build/scripts/build.sh in the same commit.
-FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
+# debian:trixie-slim — pinned by digest.
+# Resolved 2026-05-07 via `docker pull debian:trixie-slim` on the runner host.
+# Trixie (Debian 13) is what the pinned derivative-maker tag expects; its
+# 1100_sanity-tests reads /etc/os-release and exits if the codename is
+# anything other than `trixie`. Upstream's own derivative-maker/docker/
+# Dockerfile uses the same FROM. Bumping this requires rebuilding +
+# pushing the silvermetal-builder image AND updating BUILDER_IMAGE in
+# linux/build/scripts/build.sh in the same commit.
+FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a
 
 # Reproducibility-friendly apt configuration.
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -46,8 +50,8 @@ RUN set -eux; \
     apt-get update; \
     apt-get install -y --no-install-recommends ca-certificates; \
     rm -f /etc/apt/sources.list.d/*; \
-    printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
-    printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
+    printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" >  /etc/apt/sources.list; \
+    printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
     apt-get -o Acquire::Check-Valid-Until=false update; \
     apt-get install -y --no-install-recommends \
         debootstrap \

linux/build/scripts/build.sh

@@ -32,7 +32,7 @@ cd "${REPO_ROOT}"
 # outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
 # registers as an insecure-registry. The host-style "docker-registry:5000"
 # is *not* DNS-resolvable; do not use it.
-BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:f8f0db3756df220d3de79371054fd43cf7f824ad27d9900328fef5723821bedc}"
+BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:7d893178b4910de5654b503640caa40421f452294aca80e71b0814b152ef1890}"
 
 if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
     echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2