From 4a3971cb069d843787d6e7c1303880a9ffda7c1d Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Thu, 7 May 2026 11:18:38 +0100 Subject: [PATCH] fix(linux/build): correct derivative-maker CLI invocation (M1.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run #4253 finally got past all the harness failures and into derivative-maker's actual build steps, where 1100_sanity-tests rejected our invocation with: unknown option (1): '--build' The CLI we'd been passing was built from invented flag names rather than the real grammar in derivative-maker/help-steps/parse-cmd. Concretely: - `--build` is not a real option (just wrong) - `--flavour` should be `--flavor` (upstream uses American spelling) - `--dist` is not a real option; dist is implicit from `--flavor` (kicksecure-cli ⇒ bookworm) - `--config` is not a real option; the silvermetal-base.conf is sourced into env above the invocation, no flag needed - `--freedom true|false` was missing entirely; parse-cmd requires it for `--arch amd64` (line 70 in parse-cmd) — the script exits if neither is set Fix: build-inner.sh now invokes ./derivative-maker --flavor … --target … --arch … --freedom … which is the minimal valid form per parse-cmd's case-branches. Set DERIVATIVE_FREEDOM=false in silvermetal-base.conf, matching Kicksecure's own public-ISO choice — `--freedom true` would omit firmware-nonfreedom and the resulting ISO wouldn't initialise wifi / many GPUs / Intel microcode on most hardware. Privacy/functionality trade-off documented inline; the hardening overlay in M1.2+ can revisit if that conversation becomes useful. Verified: bash -n on both scripts. No image rebuild needed — pure script and config changes. Co-Authored-By: Claude Opus 4.7 (1M context) --- linux/build/config/silvermetal-base.conf | 11 +++++++++++ linux/build/scripts/build-inner.sh | 14 ++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/linux/build/config/silvermetal-base.conf b/linux/build/config/silvermetal-base.conf index e52d734..cc6f73a 100644 --- a/linux/build/config/silvermetal-base.conf +++ b/linux/build/config/silvermetal-base.conf @@ -16,8 +16,19 @@ DERIVATIVE_BUILD_TARGET="iso" # Kicksecure's derivative-maker exposes "build flavour" as the upstream # selector. We ride on the plain Kicksecure CLI flavour here. M1.2 will # switch this to a SilverMetal-Hardened flavour with our overlay. +# Upstream spells the CLI flag --flavor (American), so the variable name +# below is intentionally British but the flag passed in build-inner.sh +# is the upstream spelling. DERIVATIVE_FLAVOUR="kicksecure-cli" +# Nonfree firmware switch (mandatory for amd64/i386 — parse-cmd errors +# otherwise). Kicksecure's public ISOs choose "false" (nonfree firmware +# included) so the resulting image actually boots on real hardware +# (wifi, GPU, microcode). M1.1 follows that choice; the hardening +# overlay in M1.2+ can revisit if there's a privacy-vs-functionality +# argument worth reopening. +DERIVATIVE_FREEDOM="false" + # --- Branding (reads shared/branding/linux-iso-meta.yaml at script time) ---- # These mirror the YAML; the wrapper script reconciles them so we don't have # two sources of truth for the same value. If they diverge, build.sh fails. diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh index 3975f97..1dd0834 100755 --- a/linux/build/scripts/build-inner.sh +++ b/linux/build/scripts/build-inner.sh @@ -28,13 +28,19 @@ source "${REPO_ROOT}/linux/build/config/silvermetal-base.conf" cd "${REPO_ROOT}/linux/build/derivative-maker" +# CLI grammar comes from derivative-maker/help-steps/parse-cmd. The +# valid options are a closed set; passing anything else (including +# --build, --dist, or --config) trips the "unknown option" guard at +# parse-cmd line 725. Spelling matters too: upstream uses --flavor +# (American), not --flavour. --freedom is mandatory for amd64/i386. +# Dist is implicit from --flavor (kicksecure-cli => bookworm), and +# the silvermetal-base.conf is sourced into the env above rather than +# passed as a flag because derivative-maker has no --config option. ./derivative-maker \ - --build \ + --flavor "${DERIVATIVE_FLAVOUR}" \ --target "${DERIVATIVE_BUILD_TARGET}" \ - --flavour "${DERIVATIVE_FLAVOUR}" \ --arch "${DERIVATIVE_TARGET_ARCH}" \ - --dist "${DERIVATIVE_DIST}" \ - --config "${REPO_ROOT}/linux/build/config/silvermetal-base.conf" + --freedom "${DERIVATIVE_FREEDOM}" # derivative-maker writes into its own build/ tree; collect into BUILD_DIR. # Exact upstream output paths can shift between tags — keep this tolerant.