SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(linux/build): bump builder base bookworm → trixie (M1.1)
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m19s
Details

Browse Source 
Run #4254 finally got past every harness issue and into derivative-
maker's actual sanity-tests, where it died with:

    You are attempting to build on an unsupported operating system or version.
    detected operating system codename: 'bookworm'
    expected operating system codename: 'trixie'

The pinned derivative-maker tag (18.1.7.4-developers-only) requires
Debian 13 (trixie) as the build host. Upstream's own
linux/build/derivative-maker/docker/Dockerfile uses
`FROM debian:trixie-slim`. We picked bookworm originally and the tag
mismatch wasn't caught until the build actually ran.

Changes:

- Dockerfile.builder: FROM debian:bookworm-slim →
  debian:trixie-slim @ sha256:cedb1ef4…2c5a (resolved 2026-05-07 on
  the runner host). sources.list suite names follow:
  `bookworm` → `trixie`, `bookworm-security` → `trixie-security`.
  snapshot.debian.org pin (20260415T000000Z) is unchanged — snapshots
  are date-keyed, so the same timestamp resolves trixie's dists/.
- silvermetal-base.conf: DERIVATIVE_DIST `bookworm` → `trixie` for
  consistency (the value isn't passed to derivative-maker — there's
  no --dist option — but it's referenced by the build.sh prologue
  and we shouldn't have a stale codename floating around).
- build.sh: BUILDER_IMAGE digest re-pinned to sha256:7d893178…1890
  (rebuilt natively on 10.0.0.51 against the new base, pushed).

The reproducibility guarantee is unchanged in shape — same snapshot
timestamp, same source-date-epoch derivation, just a different stable
host OS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-05-07 11:25:40 +01:00
parent 4a3971cb06
commit 433eb18947
3 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
linux/build/scripts/build.sh
View File

@@ -32,7 +32,7 @@ cd "${REPO_ROOT}"
# outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
# registers as an insecure-registry. The host-style "docker-registry:5000"
# is *not* DNS-resolvable; do not use it.
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:f8f0db3756df220d3de79371054fd43cf7f824ad27d9900328fef5723821bedc}"
BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:7d893178b4910de5654b503640caa40421f452294aca80e71b0814b152ef1890}"
if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2