SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4444dc11f384dc04c21fecfb47e0e3373a3bfd7e
SilverMetal/linux/build/config/silvermetal-base.conf
SysAdmin 4444dc11f3 feat(linux/build): scaffold reproducible ISO build pipeline (M1.1) 
Vendors Kicksecure derivative-maker as a pinned submodule (18.1.7.4),
adds the wrapper + verify + diagnose scripts, the pinned builder image,
and the reproducibility-gated Gitea Actions workflow. Base flavour only —
no hardening overlay (that's M1.2).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 04:25:48 +01:00

47 lines
2.3 KiB
Plaintext
Raw Blame History

# SilverMetal Linux — Base build configuration (M1.1)
#
# Sourced by linux/build/scripts/build.sh inside the builder container.
# Minimal SilverMetal-specific overrides on top of Kicksecure's
# derivative-maker. NO hardening overlay, NO kernel swap, NO package
# additions — that work is M1.2 and later.
#
# Bash-sourceable. Use POSIX-quoted values; no command substitution.
# --- Derivative selection ---------------------------------------------------
DERIVATIVE_NAME="silvermetal-linux-base"
DERIVATIVE_DIST="bookworm"
DERIVATIVE_TARGET_ARCH="amd64"
DERIVATIVE_BUILD_TARGET="iso"
# Kicksecure's derivative-maker exposes "build flavour" as the upstream
# selector. We ride on the plain Kicksecure CLI flavour here. M1.2 will
# switch this to a SilverMetal-Hardened flavour with our overlay.
DERIVATIVE_FLAVOUR="kicksecure-cli"
# --- Branding (reads shared/branding/linux-iso-meta.yaml at script time) ----
# These mirror the YAML; the wrapper script reconciles them so we don't have
# two sources of truth for the same value. If they diverge, build.sh fails.
BRANDING_META_FILE="shared/branding/linux-iso-meta.yaml"
BRANDING_ID="silvermetal-linux-base"
BRANDING_VERSION="1.1.0-alpha"
BRANDING_ISO_LABEL="SILVERMETAL_LINUX_BASE"
# --- Reproducibility levers -------------------------------------------------
# Set/overridden by build.sh; declared here so a stray invocation fails loudly
# rather than silently picking up the host's clock / mirror.
: "${SOURCE_DATE_EPOCH:?SOURCE_DATE_EPOCH must be set by build.sh}"
: "${SNAPSHOT_TIMESTAMP:?SNAPSHOT_TIMESTAMP must be set by build.sh}"
# snapshot.debian.org URL pattern — derivative-maker honours APT_SNAPSHOT_URL
# when present; if upstream renames it, update both here and build.sh.
APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/${SNAPSHOT_TIMESTAMP}"
APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/${SNAPSHOT_TIMESTAMP}"
# Deterministic squashfs flags. -no-exports kills inode-export tables
# (host-dependent). -no-xattrs kills xattr ordering noise.
MKSQUASHFS_OPTIONS="-no-exports -no-xattrs -reproducible -all-root -wildcards"
# --- Output -----------------------------------------------------------------
# Relative to repo root; build.sh moves artefacts here from the container.
OUTPUT_DIR="linux/build/output"
Reference in New Issue View Git Blame Copy Permalink