# SilverMetal Linux — reproducible-build runner image. # # This image is the "build host" for the ISO. Pinning it by digest is the # only thing keeping host-toolchain drift out of the reproducibility gate, so # do NOT replace the FROM line with a tag-only reference. # # Build & push (run from repo root): # docker build \ # -f linux/build/docker/Dockerfile.builder \ # -t docker-registry:5000/silvermetal-builder: \ # -t docker-registry:5000/silvermetal-builder:latest \ # linux/build/docker # docker push docker-registry:5000/silvermetal-builder: # # To bump the base image: replace the digest, rebuild, push, update # BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility # check, commit all four changes together. # debian:trixie-slim — pinned by digest. # Resolved 2026-05-07 via `docker pull debian:trixie-slim` on the runner host. # Trixie (Debian 13) is what the pinned derivative-maker tag expects; its # 1100_sanity-tests reads /etc/os-release and exits if the codename is # anything other than `trixie`. Upstream's own derivative-maker/docker/ # Dockerfile uses the same FROM. Bumping this requires rebuilding + # pushing the silvermetal-builder image AND updating BUILDER_IMAGE in # linux/build/scripts/build.sh in the same commit. FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a # Reproducibility-friendly apt configuration. ENV DEBIAN_FRONTEND=noninteractive \ LC_ALL=C.UTF-8 \ LANG=C.UTF-8 \ SOURCE_DATE_EPOCH=0 # Pinned package versions. These come from the same snapshot.debian.org # timestamp as the ISO build, so a Dockerfile rebuild against that snapshot # produces the same toolchain bit-for-bit. The actual snapshot URL is # substituted at build time via --build-arg APT_SNAPSHOT_URL=... ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z" ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z" # Two-phase install: # 1. Use the base image's default mirror to seed ca-certificates so HTTPS # to snapshot.debian.org works. (slim images don't ship CA bundles.) # 2. Pin sources.list to the snapshot and install the actual toolchain. # The first phase touches deb.debian.org without a pin; that's fine because # nothing it installs ends up in the final ISO — only the toolchain installed # in phase 2 does, and that is fully snapshot-pinned. RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates; \ rm -f /etc/apt/sources.list.d/*; \ printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \ printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \ apt-get -o Acquire::Check-Valid-Until=false update; \ apt-get install -y --no-install-recommends \ debootstrap \ diffoscope-minimal \ dosfstools \ fakeroot \ git \ gnupg \ gpg-agent \ isolinux \ live-build \ mtools \ reprepro \ rsync \ sequoia-chameleon-gnupg \ sequoia-git \ sq \ sqop \ sqv \ squashfs-tools \ sudo \ syslinux-common \ xorriso; \ apt-get clean; \ rm -rf /var/lib/apt/lists/* # Non-root user for derivative-maker. # Kicksecure's derivative-maker explicitly refuses to run as root and uses # sudo internally for its privileged operations (debootstrap, mksquashfs, # chroot mounts). build.sh chowns the workspace to this user inside the # container, then runuser's to it before invoking derivative-maker. # uid 1000 is conventional and plays nicely with bind mounts of files # created by other Linux tools. RUN useradd --uid 1000 --create-home --shell /bin/bash builder \ && echo 'builder ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/builder \ && chmod 440 /etc/sudoers.d/builder WORKDIR /work