# derivative-maker submodule pin

The `derivative-maker/` submodule is pinned to a specific Kicksecure release tag. This is a deliberate, reviewed action — never auto-bump.

## Current pin

| Field             | Value                                                          |
|-------------------|----------------------------------------------------------------|
| Upstream          | https://github.com/Kicksecure/derivative-maker                 |
| Tag               | `18.1.7.4-developers-only`                                     |
| Mirror (optional) | https://git.silverlabs.uk/SilverLABS/derivative-maker (mirror) |

> Note: Kicksecure tags every developer iteration with the `-developers-only` suffix; this is their normal release convention, not a "use at your own risk" warning. Users of Kicksecure track this same tag space.

## Bumping the pin

1. Pick the new tag: `git -C linux/build/derivative-maker fetch --tags`
2. `git -C linux/build/derivative-maker checkout <new-tag>`
3. From the repo root: `git add linux/build/derivative-maker`
4. Run `linux/build/scripts/verify-reproducibility.sh` to completion (must pass).
5. Commit the bump on its own — *do not* combine with feature work.
6. Open the PR with the verification log attached.

## Why a pin (and not "track main")

Reproducibility requires every input to the build to be content-addressed. A floating submodule pointer would break the M1.1 exit criterion the moment upstream pushes a commit between two CI runs.