fix(linux/build): allow untagged / uncommitted submodule commits (M1.1)
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m24s
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m24s
Run #4256 finally cleared every preceding obstacle and reached git_sanity_test's per-submodule verification phase. sq-git authenticated every commit signature in the chain — that part is working perfectly — but failed at: ERROR: Untagged commit in: qubes/qubes-template-kicksecure INFO: As a developer or advanced user you might want to use: WARNING: This can be insecure if you cannot audit the changes. --allow-untagged true --allow-uncommitted true git_sanity_test runs two orthogonal checks: 1. signatures (sq-git, verified ✅) 2. tagged-commit-only mode (verified ❌ for one submodule) The pinned upstream tag (18.1.7.4-developers-only — the name itself flags the intent) deliberately ships with some submodule pointers at intermediate / merge commits rather than release tags. parse-cmd documents `--allow-untagged true` and `--allow-uncommitted true` for exactly this case. Signatures remain verified; we're only relaxing the release-tag check, which is appropriate when we've deliberately pinned to a developer tag. If/when we move to a redistributable upstream tag in M1.10+ (signing ceremony milestone), these flags should come back out. No image rebuild needed — script-only change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -33,14 +33,23 @@ cd "${REPO_ROOT}/linux/build/derivative-maker"
|
||||
# --build, --dist, or --config) trips the "unknown option" guard at
|
||||
# parse-cmd line 725. Spelling matters too: upstream uses --flavor
|
||||
# (American), not --flavour. --freedom is mandatory for amd64/i386.
|
||||
# Dist is implicit from --flavor (kicksecure-cli => bookworm), and
|
||||
# Dist is implicit from --flavor (kicksecure-cli => trixie), and
|
||||
# the silvermetal-base.conf is sourced into the env above rather than
|
||||
# passed as a flag because derivative-maker has no --config option.
|
||||
#
|
||||
# --allow-untagged true / --allow-uncommitted true: the pinned upstream
|
||||
# tag (18.1.7.4-developers-only — name says it all) deliberately ships
|
||||
# with some submodules at intermediate / merge commits. sq-git still
|
||||
# verifies every signature in the chain — these flags only relax the
|
||||
# additional "must be at a release tag" check. Appropriate for a
|
||||
# downstream consumer pinned to a developer tag.
|
||||
./derivative-maker \
|
||||
--flavor "${DERIVATIVE_FLAVOUR}" \
|
||||
--target "${DERIVATIVE_BUILD_TARGET}" \
|
||||
--arch "${DERIVATIVE_TARGET_ARCH}" \
|
||||
--freedom "${DERIVATIVE_FREEDOM}"
|
||||
--flavor "${DERIVATIVE_FLAVOUR}" \
|
||||
--target "${DERIVATIVE_BUILD_TARGET}" \
|
||||
--arch "${DERIVATIVE_TARGET_ARCH}" \
|
||||
--freedom "${DERIVATIVE_FREEDOM}" \
|
||||
--allow-untagged true \
|
||||
--allow-uncommitted true
|
||||
|
||||
# derivative-maker writes into its own build/ tree; collect into BUILD_DIR.
|
||||
# Exact upstream output paths can shift between tags — keep this tolerant.
|
||||
|
||||
Reference in New Issue
Block a user