SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4444dc11f384dc04c21fecfb47e0e3373a3bfd7e
SilverMetal/linux/build/docker/Dockerfile.builder
SysAdmin 4444dc11f3 feat(linux/build): scaffold reproducible ISO build pipeline (M1.1) 
Vendors Kicksecure derivative-maker as a pinned submodule (18.1.7.4),
adds the wrapper + verify + diagnose scripts, the pinned builder image,
and the reproducibility-gated Gitea Actions workflow. Base flavour only —
no hardening overlay (that's M1.2).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 04:25:48 +01:00

68 lines
2.8 KiB
Ruby
Raw Blame History

# SilverMetal Linux — reproducible-build runner image.
#
# This image is the "build host" for the ISO. Pinning it by digest is the
# only thing keeping host-toolchain drift out of the reproducibility gate, so
# do NOT replace the FROM line with a tag-only reference.
#
# Build & push (run from repo root):
# docker build \
# -f linux/build/docker/Dockerfile.builder \
# -t docker-registry:5000/silvermetal-builder:<commit> \
# -t docker-registry:5000/silvermetal-builder:latest \
# linux/build/docker
# docker push docker-registry:5000/silvermetal-builder:<commit>
#
# To bump the base image: replace the digest, rebuild, push, update
# BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility
# check, commit all four changes together.
# debian:bookworm-slim — pinned by digest.
# TODO(M1.1): replace placeholder digest with the actual one resolved at
# image-build time. The placeholder is intentionally invalid so a build that
# forgets to update it fails fast rather than silently using "latest".
FROM debian:bookworm-slim@sha256:0000000000000000000000000000000000000000000000000000000000000000
# Reproducibility-friendly apt configuration.
ENV DEBIAN_FRONTEND=noninteractive \
LC_ALL=C.UTF-8 \
LANG=C.UTF-8 \
SOURCE_DATE_EPOCH=0
# Pinned package versions. These come from the same snapshot.debian.org
# timestamp as the ISO build, so a Dockerfile rebuild against that snapshot
# produces the same toolchain bit-for-bit. The actual snapshot URL is
# substituted at build time via --build-arg APT_SNAPSHOT_URL=...
ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
RUN set -eux; \
rm -f /etc/apt/sources.list.d/*; \
printf 'deb [check-valid-until=no] %s bookworm main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \
printf 'deb [check-valid-until=no] %s bookworm-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
apt-get -o Acquire::Check-Valid-Until=false update; \
apt-get install -y --no-install-recommends \
ca-certificates \
debootstrap \
diffoscope-minimal \
dosfstools \
git \
gnupg \
isolinux \
live-build \
mtools \
reprepro \
rsync \
squashfs-tools \
syslinux-common \
xorriso; \
apt-get clean; \
rm -rf /var/lib/apt/lists/*
# Non-root user for the parts of the build that don't need privilege.
# live-build itself still needs root inside the container for chroot/mount,
# so build.sh runs the container as root; this user exists for diagnostic
# tooling and matches uid 1000 to play nicely with bind mounts.
RUN useradd --uid 1000 --create-home --shell /bin/bash builder
WORKDIR /work
Reference in New Issue View Git Blame Copy Permalink