Skip to content

fix: refresh apt package pins to current bookworm versions#124

Merged
bgauduch merged 3 commits into
masterfrom
fix/dockerfile-apt-pins
Jun 15, 2026
Merged

fix: refresh apt package pins to current bookworm versions#124
bgauduch merged 3 commits into
masterfrom
fix/dockerfile-apt-pins

Conversation

@bgauduch

@bgauduch bgauduch commented Jun 15, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes the failing Docker build (root cause of the red build-test everywhere).
Debian removed the old point-release package versions from the bookworm mirror,
so exact pins like ca-certificates=20230311 no longer resolve and apt-get install fails with exit 100.

Packages stay pinned (reproducibility + supply chain) — the pins are
refreshed to the current bookworm candidates.

Changes

  • Dockerfile — refresh all OS package pins across the three stages to current versions:
    • ca-certificates=20230311+deb12u1, curl=7.88.1-10+deb12u14, gnupg=2.2.40-1.1+deb12u2, unzip=6.0-28, git=1:2.39.5-0+deb12u3, jq=1.6-2.1+deb12u1, openssh-client=1:9.2p1-2+deb12u10
  • docs/adr/0010-apt-package-pinning-strategy.md — records the decision to keep exact pins (unpinning rejected); snapshot.debian.org noted as a future option for break-proof pins.
  • docs/dependencies-upgrades.md — adds the apt-pin refresh procedure (the missed readme update) and aligns the Terraform line with ADR-0004.
  • hadolint DL3008 stays enforced (pinning required).

ADR

  • Adds ADR-0010 (structural Dockerfile change) — adr-check satisfied.

Notes

https://claude.ai/code/session_01EESGRwTzyd1G16yv7R2Eqd

Debian drops old point-release package versions from the bookworm
mirror, so exact pins (e.g. ca-certificates=20230311) vanish and the
build fails (apt exit 100) — this broke build-test. Unpin the OS utility
packages (keep --no-install-recommends) and ignore hadolint DL3008.

Supply-chain integrity is unchanged where it matters: Terraform and AWS
CLI stay version-pinned and GPG/checksum-verified; base image stays
tag-pinned. Records the decision and trade-off as ADR-0010.

https://claude.ai/code/session_01EESGRwTzyd1G16yv7R2Eqd
@bgauduch bgauduch marked this pull request as draft June 15, 2026 18:17
Debian superseded the old point-release pins (e.g. ca-certificates
20230311 -> +deb12u1), so apt-get install failed. Re-pin all OS packages
to the current bookworm candidates; keep exact pinning (ADR-0010) rather
than unpinning. Document the refresh procedure in dependencies-upgrades.md.

https://claude.ai/code/session_01EESGRwTzyd1G16yv7R2Eqd
@bgauduch bgauduch changed the title fix: unpin apt packages to stop build breakage on Debian point releases fix: refresh apt package pins to current bookworm versions Jun 15, 2026
@bgauduch bgauduch marked this pull request as ready for review June 15, 2026 18:21
The structure test hard-codes the git version; bump 2.39.2 -> 2.39.5 to
match the refreshed Dockerfile pin. Note in the upgrade checklist that
test assertions must be refreshed alongside the apt pins.

https://claude.ai/code/session_01EESGRwTzyd1G16yv7R2Eqd
@bgauduch bgauduch merged commit cd5a5c6 into master Jun 15, 2026
14 checks passed
@bgauduch bgauduch deleted the fix/dockerfile-apt-pins branch June 15, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants