SysAdmin
4444dc11f3
Vendors Kicksecure derivative-maker as a pinned submodule (18.1.7.4), adds the wrapper + verify + diagnose scripts, the pinned builder image, and the reproducibility-gated Gitea Actions workflow. Base flavour only — no hardening overlay (that's M1.2). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
27 lines
1.5 KiB
Markdown
27 lines
1.5 KiB
Markdown
# derivative-maker submodule pin
|
|
|
|
The `derivative-maker/` submodule is pinned to a specific Kicksecure release tag. This is a deliberate, reviewed action — never auto-bump.
|
|
|
|
## Current pin
|
|
|
|
| Field | Value |
|
|
|-------------------|----------------------------------------------------------------|
|
|
| Upstream | https://github.com/Kicksecure/derivative-maker |
|
|
| Tag | `18.1.7.4-developers-only` |
|
|
| Mirror (optional) | https://git.silverlabs.uk/SilverLABS/derivative-maker (mirror) |
|
|
|
|
> Note: Kicksecure tags every developer iteration with the `-developers-only` suffix; this is their normal release convention, not a "use at your own risk" warning. Users of Kicksecure track this same tag space.
|
|
|
|
## Bumping the pin
|
|
|
|
1. Pick the new tag: `git -C linux/build/derivative-maker fetch --tags`
|
|
2. `git -C linux/build/derivative-maker checkout <new-tag>`
|
|
3. From the repo root: `git add linux/build/derivative-maker`
|
|
4. Run `linux/build/scripts/verify-reproducibility.sh` to completion (must pass).
|
|
5. Commit the bump on its own — *do not* combine with feature work.
|
|
6. Open the PR with the verification log attached.
|
|
|
|
## Why a pin (and not "track main")
|
|
|
|
Reproducibility requires every input to the build to be content-addressed. A floating submodule pointer would break the M1.1 exit criterion the moment upstream pushes a commit between two CI runs.
|