Skip to content

chore(ci): bump builder pinned packages for Debian upstream drift#688

Merged
kvinwang merged 3 commits into
masterfrom
fix/builder-pinned-packages
May 19, 2026
Merged

chore(ci): bump builder pinned packages for Debian upstream drift#688
kvinwang merged 3 commits into
masterfrom
fix/builder-pinned-packages

Conversation

@Leechael
Copy link
Copy Markdown
Collaborator

@Leechael Leechael commented May 19, 2026

Fix CI failures in gateway and kms builder image checks caused by Debian package version drift.

Updated packages:

  • libssl-dev / libssl3t64: 3.5.5-1deb13u1 → 3.5.6-1deb13u1
  • musl / musl-dev / musl-tools: 1.2.5-3 → 1.2.5-3.1~deb13u1
  • openssl / openssl-provider-legacy: 3.5.5-1deb13u1 → 3.5.6-1deb13u1

Leechael and others added 3 commits May 19, 2026 11:42
@Leechael
chore(ci): bump builder pinned packages for Debian upstream drift
fdb79c2 
Debian trixie updated:
- libssl-dev/libssl3t64: 3.5.5-1~deb13u1 → 3.5.6-1~deb13u1
- musl/musl-dev/musl-tools: 1.2.5-3 → 1.2.5-3.1~deb13u1
- openssl/openssl-provider-legacy: 3.5.5-1~deb13u1 → 3.5.6-1~deb13u1
@kvinwang
fix(ci): lock snapshot for Debian 13 (trixie) base images
6a345f7 
The previous pin-packages.sh wrote /etc/apt/sources.list and only
referenced bookworm. That worked on bookworm-based images (the legacy
sources.list was overwritten), but on rust:1.92.0 (trixie) the base
image ships its sources via deb822 at
/etc/apt/sources.list.d/debian.sources. That file was left untouched,
so apt kept resolving from live deb.debian.org/debian trixie instead of
the snapshot — packages drifted on every build (libssl 3.5.5 → 3.5.6,
musl 1.2.5-3 → 1.2.5-3.1~deb13u1).

Detect VERSION_CODENAME from /etc/os-release, wipe both legacy and
deb822 sources, and rewrite sources.list against the snapshot for the
detected suite. Verified by running the script inside both
rust:1.92.0 (trixie) and debian:bookworm — apt now resolves from the
snapshot only, and libssl3t64 / musl land on the originally baselined
versions, so revert the version bumps from the previous commit.
@kvinwang
fix(ci): silence shellcheck SC1091 for /etc/os-release source
6a87118
@kvinwang
Copy link
Copy Markdown
Collaborator

kvinwang commented May 19, 2026

Pushed two follow-up commits because the original version bumps only paper over a bug in pin-packages.sh — the snapshot pinning was never actually in effect on the trixie-based builders.

Root cause. pin-packages.sh writes /etc/apt/sources.list (legacy format) pointing at the snapshot, hard-coded to bookworm. That works for the verifier image (rust:1.92.0-bookworm, which uses the legacy sources file). But kms and gateway use rust:1.92.0, which is now based on Debian 13 (trixie) and ships its sources via deb822 at /etc/apt/sources.list.d/debian.sources. That file was left untouched, so apt kept resolving from live deb.debian.org/debian trixie instead of the snapshot. The packages drift every time upstream publishes a security update — which is exactly what we saw (libssl 3.5.5 → 3.5.6, musl 1.2.5-3 → 1.2.5-3.1~deb13u1). Bumping the pinned versions would just kick the can down the road until the next trixie point release.

Fix. pin-packages.sh now:

  1. Detects the suite from /etc/os-release (VERSION_CODENAME), so the same script works for trixie and bookworm without hard-coding.
  2. Wipes both /etc/apt/sources.list and /etc/apt/sources.list.d/*.{list,sources} before writing the snapshot sources, so the base image's default live sources can no longer leak through.

Verified locally inside both rust:1.92.0 (trixie) and debian:bookworm: apt-get update only contacts snapshot.debian.org, and apt-cache madison libssl3t64 resolves to 3.5.5-1~deb13u1 from snapshot trixie/main — the originally baselined version. So the version bumps in the first commit have been reverted; the pinned files now match what the snapshot actually serves.

The third commit just silences a shellcheck SC1091 on the . /etc/os-release sourcing that the prek check flagged.

@kvinwang kvinwang merged commit d4acf2d into master May 19, 2026
15 checks passed
@h4x3rotab h4x3rotab mentioned this pull request May 19, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Leechael @kvinwang