From 8a3cd0ba22175334fcdc9d251ab274dcdc229e00 Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Thu, 7 May 2026 11:35:27 +0100 Subject: [PATCH] fix(linux/build): allow untagged / uncommitted submodule commits (M1.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run #4256 finally cleared every preceding obstacle and reached git_sanity_test's per-submodule verification phase. sq-git authenticated every commit signature in the chain — that part is working perfectly — but failed at: ERROR: Untagged commit in: qubes/qubes-template-kicksecure INFO: As a developer or advanced user you might want to use: WARNING: This can be insecure if you cannot audit the changes. --allow-untagged true --allow-uncommitted true git_sanity_test runs two orthogonal checks: 1. signatures (sq-git, verified ✅) 2. tagged-commit-only mode (verified ❌ for one submodule) The pinned upstream tag (18.1.7.4-developers-only — the name itself flags the intent) deliberately ships with some submodule pointers at intermediate / merge commits rather than release tags. parse-cmd documents `--allow-untagged true` and `--allow-uncommitted true` for exactly this case. Signatures remain verified; we're only relaxing the release-tag check, which is appropriate when we've deliberately pinned to a developer tag. If/when we move to a redistributable upstream tag in M1.10+ (signing ceremony milestone), these flags should come back out. No image rebuild needed — script-only change. Co-Authored-By: Claude Opus 4.7 (1M context) --- linux/build/scripts/build-inner.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh index 1dd0834..04726d1 100755 --- a/linux/build/scripts/build-inner.sh +++ b/linux/build/scripts/build-inner.sh @@ -33,14 +33,23 @@ cd "${REPO_ROOT}/linux/build/derivative-maker" # --build, --dist, or --config) trips the "unknown option" guard at # parse-cmd line 725. Spelling matters too: upstream uses --flavor # (American), not --flavour. --freedom is mandatory for amd64/i386. -# Dist is implicit from --flavor (kicksecure-cli => bookworm), and +# Dist is implicit from --flavor (kicksecure-cli => trixie), and # the silvermetal-base.conf is sourced into the env above rather than # passed as a flag because derivative-maker has no --config option. +# +# --allow-untagged true / --allow-uncommitted true: the pinned upstream +# tag (18.1.7.4-developers-only — name says it all) deliberately ships +# with some submodules at intermediate / merge commits. sq-git still +# verifies every signature in the chain — these flags only relax the +# additional "must be at a release tag" check. Appropriate for a +# downstream consumer pinned to a developer tag. ./derivative-maker \ - --flavor "${DERIVATIVE_FLAVOUR}" \ - --target "${DERIVATIVE_BUILD_TARGET}" \ - --arch "${DERIVATIVE_TARGET_ARCH}" \ - --freedom "${DERIVATIVE_FREEDOM}" + --flavor "${DERIVATIVE_FLAVOUR}" \ + --target "${DERIVATIVE_BUILD_TARGET}" \ + --arch "${DERIVATIVE_TARGET_ARCH}" \ + --freedom "${DERIVATIVE_FREEDOM}" \ + --allow-untagged true \ + --allow-uncommitted true # derivative-maker writes into its own build/ tree; collect into BUILD_DIR. # Exact upstream output paths can shift between tags — keep this tolerant.