diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh
index 4e9ab6d..b9bfa7a 100755
--- a/linux/build/scripts/build-inner.sh
+++ b/linux/build/scripts/build-inner.sh
@@ -116,10 +116,24 @@ cd "${REPO_ROOT}/linux/build/derivative-maker"
 # (per help-steps/variables: binary_build_folder_dist=$HOMEVAR/derivative-binary),
 # *not* into the source tree. Collect from there into BUILD_DIR.
 # Exact upstream output paths can shift between tags — keep this tolerant.
-find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.iso" -print0 \
-    | xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/"
+#
+# stderr+exit suppression is essential: $HOME/derivative-binary contains
+# the live-build chroot, and several of the chroot's own subdirs
+# (/usr/src, /etc/sudoers.d, /etc/cron.*, /boot, /root, /run/sudo,
+# cache/bootstrap/root, ...) are 0700 root-owned because the chroot
+# creation step ran under sudo. As `user` (uid 1000) we can't traverse
+# them. find emits "Permission denied" on each and exits non-zero;
+# pipefail then kills the entire build script *after* the ISO has
+# already been copied — exactly what happened on run #4271 (15:24
+# clean derivative-maker run, ISO produced, build-inner died on this
+# pipeline). Suppress and rely on build.sh's host-side
+# "no *.iso in BUILD_DIR" check (exit 4) to surface a real miss.
+find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.iso" \
+    -print0 2>/dev/null \
+    | xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" || true
 
 # Manifest of file metadata that lives inside the ISO. Useful when
 # diagnosing reproducibility regressions without re-extracting.
-find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.manifest" -print0 \
+find "${HOME}/derivative-binary" -maxdepth 6 -type f -name "*.manifest" \
+    -print0 2>/dev/null \
     | xargs -0 -I{} cp -av "{}" "${BUILD_DIR}/" 2>/dev/null || true