SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a2bee4b5dc07d04f52d279434908d100ca3ec05a
SilverMetal/linux/build/config/silvermetal-base.conf
SysAdmin 433eb18947
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m19s
Details
fix(linux/build): bump builder base bookworm → trixie (M1.1) 
Run #4254 finally got past every harness issue and into derivative-
maker's actual sanity-tests, where it died with:

    You are attempting to build on an unsupported operating system or version.
    detected operating system codename: 'bookworm'
    expected operating system codename: 'trixie'

The pinned derivative-maker tag (18.1.7.4-developers-only) requires
Debian 13 (trixie) as the build host. Upstream's own
linux/build/derivative-maker/docker/Dockerfile uses
`FROM debian:trixie-slim`. We picked bookworm originally and the tag
mismatch wasn't caught until the build actually ran.

Changes:

- Dockerfile.builder: FROM debian:bookworm-slim →
  debian:trixie-slim @ sha256:cedb1ef4…2c5a (resolved 2026-05-07 on
  the runner host). sources.list suite names follow:
  `bookworm` → `trixie`, `bookworm-security` → `trixie-security`.
  snapshot.debian.org pin (20260415T000000Z) is unchanged — snapshots
  are date-keyed, so the same timestamp resolves trixie's dists/.
- silvermetal-base.conf: DERIVATIVE_DIST `bookworm` → `trixie` for
  consistency (the value isn't passed to derivative-maker — there's
  no --dist option — but it's referenced by the build.sh prologue
  and we shouldn't have a stale codename floating around).
- build.sh: BUILDER_IMAGE digest re-pinned to sha256:7d893178…1890
  (rebuilt natively on 10.0.0.51 against the new base, pushed).

The reproducibility guarantee is unchanged in shape — same snapshot
timestamp, same source-date-epoch derivation, just a different stable
host OS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 11:25:40 +01:00

58 lines
2.8 KiB
Plaintext
Raw Blame History

# SilverMetal Linux — Base build configuration (M1.1)
#
# Sourced by linux/build/scripts/build.sh inside the builder container.
# Minimal SilverMetal-specific overrides on top of Kicksecure's
# derivative-maker. NO hardening overlay, NO kernel swap, NO package
# additions — that work is M1.2 and later.
#
# Bash-sourceable. Use POSIX-quoted values; no command substitution.
# --- Derivative selection ---------------------------------------------------
DERIVATIVE_NAME="silvermetal-linux-base"
DERIVATIVE_DIST="trixie"
DERIVATIVE_TARGET_ARCH="amd64"
DERIVATIVE_BUILD_TARGET="iso"
# Kicksecure's derivative-maker exposes "build flavour" as the upstream
# selector. We ride on the plain Kicksecure CLI flavour here. M1.2 will
# switch this to a SilverMetal-Hardened flavour with our overlay.
# Upstream spells the CLI flag --flavor (American), so the variable name
# below is intentionally British but the flag passed in build-inner.sh
# is the upstream spelling.
DERIVATIVE_FLAVOUR="kicksecure-cli"
# Nonfree firmware switch (mandatory for amd64/i386 — parse-cmd errors
# otherwise). Kicksecure's public ISOs choose "false" (nonfree firmware
# included) so the resulting image actually boots on real hardware
# (wifi, GPU, microcode). M1.1 follows that choice; the hardening
# overlay in M1.2+ can revisit if there's a privacy-vs-functionality
# argument worth reopening.
DERIVATIVE_FREEDOM="false"
# --- Branding (reads shared/branding/linux-iso-meta.yaml at script time) ----
# These mirror the YAML; the wrapper script reconciles them so we don't have
# two sources of truth for the same value. If they diverge, build.sh fails.
BRANDING_META_FILE="shared/branding/linux-iso-meta.yaml"
BRANDING_ID="silvermetal-linux-base"
BRANDING_VERSION="1.1.0-alpha"
BRANDING_ISO_LABEL="SILVERMETAL_LINUX_BASE"
# --- Reproducibility levers -------------------------------------------------
# Set/overridden by build.sh; declared here so a stray invocation fails loudly
# rather than silently picking up the host's clock / mirror.
: "${SOURCE_DATE_EPOCH:?SOURCE_DATE_EPOCH must be set by build.sh}"
: "${SNAPSHOT_TIMESTAMP:?SNAPSHOT_TIMESTAMP must be set by build.sh}"
# snapshot.debian.org URL pattern — derivative-maker honours APT_SNAPSHOT_URL
# when present; if upstream renames it, update both here and build.sh.
APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/${SNAPSHOT_TIMESTAMP}"
APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/${SNAPSHOT_TIMESTAMP}"
# Deterministic squashfs flags. -no-exports kills inode-export tables
# (host-dependent). -no-xattrs kills xattr ordering noise.
MKSQUASHFS_OPTIONS="-no-exports -no-xattrs -reproducible -all-root -wildcards"
# --- Output -----------------------------------------------------------------
# Relative to repo root; build.sh moves artefacts here from the container.
OUTPUT_DIR="linux/build/output"
Reference in New Issue View Git Blame Copy Permalink