SysAdmin
4444dc11f3
Vendors Kicksecure derivative-maker as a pinned submodule (18.1.7.4), adds the wrapper + verify + diagnose scripts, the pinned builder image, and the reproducibility-gated Gitea Actions workflow. Base flavour only — no hardening overlay (that's M1.2). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1.5 KiB
1.5 KiB
derivative-maker submodule pin
The derivative-maker/ submodule is pinned to a specific Kicksecure release tag. This is a deliberate, reviewed action — never auto-bump.
Current pin
| Field | Value |
|---|---|
| Upstream | https://github.com/Kicksecure/derivative-maker |
| Tag | 18.1.7.4-developers-only |
| Mirror (optional) | https://git.silverlabs.uk/SilverLABS/derivative-maker (mirror) |
Note: Kicksecure tags every developer iteration with the
-developers-onlysuffix; this is their normal release convention, not a "use at your own risk" warning. Users of Kicksecure track this same tag space.
Bumping the pin
- Pick the new tag:
git -C linux/build/derivative-maker fetch --tags git -C linux/build/derivative-maker checkout <new-tag>- From the repo root:
git add linux/build/derivative-maker - Run
linux/build/scripts/verify-reproducibility.shto completion (must pass). - Commit the bump on its own — do not combine with feature work.
- Open the PR with the verification log attached.
Why a pin (and not "track main")
Reproducibility requires every input to the build to be content-addressed. A floating submodule pointer would break the M1.1 exit criterion the moment upstream pushes a commit between two CI runs.