From d5e70ecb0f375b494924be9422c4fcc7b1009c14 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 1 Sep 2021 08:19:12 -0700
Subject: [PATCH 01/51] Groom documentation

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 README.md | 40 +++++++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 92fca1a..c0b5bc2 100644
--- a/README.md
+++ b/README.md
@@ -1,48 +1,62 @@
 # Base images
 
-Provides base images (builder and runtime) used by all our images.
+Provides base images (builder, auditor, golang, node, runtime) used by all our images.
 
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
 * `dubodubonduponey/base:runtime-latest` and `dubodubonduponey/base:runtime-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-08-01`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-09-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
 * `dubodubonduponey/base:builder-latest` and `dubodubonduponey/base:builder-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-08-01`)
-  * golang, python, and essential dev & build tools
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-09-01`)
+  * golang, python, and essential cross compilation dev & build tools
 * `dubodubonduponey/base:node-latest` and `dubodubonduponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
+* `dubodubonduponey/base:golang-latest` and `dubodubonduponey/base:golang-$SUITE-$DATE`
+  * just golang and git
+* `dubodubonduponey/base:auditor-latest` and `dubodubonduponey/base:auditor-$SUITE-$DATE`
+  * test and security hardening tools
 
 ## TL;DR
 
-```bash
+Point to your buildkit host or use the helper to start one
 
-# Download golang, node, yarn (once)
-./hack/build.sh downloader
+```bash
+export BUILDKIT_HOST=$(./hack/helpers/start-buildkit.sh 2>/dev/null)
+```
 
+```bash
 # Build the overlay
 ./hack/build.sh overlay
 
+# Download golang, node, yarn (once)
+./hack/build.sh downloader
+
 # Build and push the builders and runtime images
-./hack/build.sh builder --inject tags=registry.com/name/image:tag
-./hack/build.sh node --inject tags=registry.com/name/image:tag
-./hack/build.sh runtime --inject tags=registry.com/name/image:tag
+./hack/build.sh builder
+./hack/build.sh node
+./hack/build.sh golang
+./hack/build.sh runtime
+./hack/build.sh auditor
 ```
 
+Note that the above will by default try to push to `ghcr.io/dubo-dubon-duponey/base`.
+Edit `recipe.cue`, or better, use an `env.cue` file (see [advanced](ADVANCED.md) for that) to control
+the push destination.
+
 ## Configuration
 
 You can control additional aspects of the build passing arguments:
 
-```
+```bash
 # Control base image, target platforms, and cache
 ./hack/build.sh runtime \
-  --inject from_image="ghcr.io/dubo-dubon-duponey/debian:bullseye-2021-08-01" \
   --inject platforms="linux/arm/v6" \
-  --inject cache_base=type=registry,ref=somewhere.com/cache/foo
+  --inject registry="private.registry/yourname"
 ```
 
 ## Notes

From 71dfbe0afe132897db8f44afe644ea7e47d46c8c Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 1 Sep 2021 11:19:59 -0700
Subject: [PATCH 02/51] Bump date

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 hack/test.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hack/test.sh b/hack/test.sh
index 1a15de0..3896782 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-08-01 \
+	  --inject date=2021-09-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-08-01 \
+	  --inject date=2021-09-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From 4197859f621e3ee22c94896eefc2c0ca5965b16b Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 1 Sep 2021 14:49:49 -0700
Subject: [PATCH 03/51] Naming

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index c0b5bc2..3fee91e 100644
--- a/README.md
+++ b/README.md
@@ -4,21 +4,21 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
-* `dubodubonduponey/base:runtime-latest` and `dubodubonduponey/base:runtime-$SUITE-$DATE`
+* `ghcr.io/dubo-dubon-duponey/base:runtime-latest` and `ghcr.io/dubo-dubon-duponey/base:runtime-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-09-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
-* `dubodubonduponey/base:builder-latest` and `dubodubonduponey/base:builder-$SUITE-$DATE`
+* `ghcr.io/dubo-dubon-duponey/base:builder-latest` and `ghcr.io/dubo-dubon-duponey/base:builder-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-09-01`)
   * golang, python, and essential cross compilation dev & build tools
-* `dubodubonduponey/base:node-latest` and `dubodubonduponey/base:node-$SUITE-$DATE`
+* `ghcr.io/dubo-dubon-duponey/base:node-latest` and `ghcr.io/dubo-dubon-duponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
-* `dubodubonduponey/base:golang-latest` and `dubodubonduponey/base:golang-$SUITE-$DATE`
+* `ghcr.io/dubo-dubon-duponey/base:golang-latest` and `ghcr.io/dubo-dubon-duponey/base:golang-$SUITE-$DATE`
   * just golang and git
-* `dubodubonduponey/base:auditor-latest` and `dubodubonduponey/base:auditor-$SUITE-$DATE`
+* `ghcr.io/dubo-dubon-duponey/base:auditor-latest` and `ghcr.io/dubo-dubon-duponey/base:auditor-$SUITE-$DATE`
   * test and security hardening tools
 
 ## TL;DR

From d8441e85f897bef6f57c444df4a045a123c06445 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 20 Sep 2021 11:18:41 -0700
Subject: [PATCH 04/51] Bump to 9/15 and golang 1.16.8

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    |  2 +-
 Dockerfile.builder    |  6 +++---
 Dockerfile.downloader | 18 +++++++++---------
 Dockerfile.runtime    |  4 ++--
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index cede4f8..0f3b223 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 15db3e8..10f2cdd 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
 
 #######################
 # Actual "builder" image
@@ -62,7 +62,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION=1.16.7
+ENV           GOLANG_VERSION=1.16.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -205,7 +205,7 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-ENV           GOLANG_VERSION=1.16.7
+ENV           GOLANG_VERSION=1.16.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 53dff6b..7259264 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -11,14 +11,14 @@ ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 ENV           NODE_VERSION=14.17.6
 ENV           YARN_VERSION=1.22.5
 
-ENV           GOLANG_VERSION 1.16.7
-ENV           GOLANG_LINUX_AMD64_SHA512 349f846599ca816f95f57adc41f789fdd6ade0ffcd325076de4fc3dcf06c72ae1474170ed5760e505a54a3ab10b1aa65d127f14a63cba27dec6672a1bcd2fbc6
-ENV           GOLANG_LINUX_ARM64_SHA512 e575baeeb848a87511566bfbf385b57b75bed67d22b1c799141e876775e5f339c06d0eb021509501f323a3b98807b510455e5202c3433cfdc4b7a057a3c5171b
-ENV           GOLANG_LINUX_ARM_V7_SHA512 d36259ccba93e4bef4c566f7c59998fba4108ab32c2c897524add88c092e5f39345091661a425d67f6c8c7dfe4246bf7e416ab8477302f4bc706249180ccfd4e
-ENV           GOLANG_LINUX_ARM_V6_SHA512 d36259ccba93e4bef4c566f7c59998fba4108ab32c2c897524add88c092e5f39345091661a425d67f6c8c7dfe4246bf7e416ab8477302f4bc706249180ccfd4e
-ENV           GOLANG_LINUX_386_SHA512 66b0dc8f5f3afcd838656e49470f257613089489994d70eab61f23ffa548d967bdf8c185480a3c595cb3f50e56ae087a43bbc31b0d7ba6cccaac3a7b65d2a24a
-ENV           GOLANG_LINUX_S390X_SHA512 154f3f478fd526c0b3a1b6ba24f0080096e7f46e07b8cfa25a19842127464984771cc060d734b5d2a7a66ee8d8a2f0ee5c23a2529436fac3e2789e6363a65b3c
-ENV           GOLANG_LINUX_PPC64LE_SHA512 f8822a0a127e2dfc194d90485bd5fae82db46269277a55a583113e8e714ea9e80c421347d7d31dcf9ff34f7ddfc1da18242eb66f9c844406d56c7ea59bb29c23
+ENV           GOLANG_VERSION 1.16.8
+ENV           GOLANG_LINUX_AMD64_SHA512 ce6683bcafb5f0a980dcf1099202f00849ace729381eb3c10b77465f3e26f511990ab4ada7116231aa4ca51f004c3385991a982b5f8003f198fe5819868ed5b7
+ENV           GOLANG_LINUX_ARM64_SHA512 5b35aa242ad725fca6d6e5a60eb41532cd27319fe8acd728d14e51528009fd6245f0e33a12a3fb778102d647db606fa67b5cb55623f42825f6b6977b0dbd8422
+ENV           GOLANG_LINUX_ARM_V7_SHA512 9c8d5cff0d909880a7d3a82c16da36bd9d1287a35c5737d6bff3449e6b093420a405c0bfeb55c882df12b6315ef6fd274a22cda22cc5ca380c59b7e7e10db0e8
+ENV           GOLANG_LINUX_ARM_V6_SHA512 9c8d5cff0d909880a7d3a82c16da36bd9d1287a35c5737d6bff3449e6b093420a405c0bfeb55c882df12b6315ef6fd274a22cda22cc5ca380c59b7e7e10db0e8
+ENV           GOLANG_LINUX_386_SHA512 143fd36c89485b93c5c242f8b4cc300d545046bbaa84457672bb64085f6e53a43cb1cc8152f342c3c3dbd12e459a43382e9bf3817fa5424e68ec00e8150a4f09
+ENV           GOLANG_LINUX_S390X_SHA512 021acdcc2cdeac9dd999f88e6515e79891d3d01229fc77ef8492de83589db5ca7d0379a5f3d59bc43dd3fe938951f7ee0972091d919caa4ff8c23018b0b7b3dd
+ENV           GOLANG_LINUX_PPC64LE_SHA512 e56ce2c98a0a4b5093de543a09849f835107906d8f151f30955365ea1b3dda1cbf007fb28d048299c745300bc4f085ac91182e44472601432a525ee955af6675
 
 #ENV           GOLANG_OLD_VERSION 1.15.13
 #ENV           GOLANG_OLD_LINUX_AMD64_SHA512 866aa22f9ecdba3c250f206d71ced5857aee67bf8da470b68447c11488dc80e243e985c9baeedf56476ddc113320bf0ed5efe8453bd3da071c4aa3abb58e142d
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 996057a..66f591e 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-01@sha256:7231d833660dd4fe1ec0aa4b4484cde1e538fe77b0b6871f8ea55197c56cf692
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
 
 #######################
 # Overlay

From 431472df56a4eb37d7095f0300bc8c8522a7ecb6 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 21 Sep 2021 14:17:44 -0700
Subject: [PATCH 05/51] Lint fixes

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 context/scripts/entrypoint.sh    | 38 +++++++++++++++++---------------
 context/scripts/version_check.sh |  6 +++++
 hack/lint.sh                     |  5 +----
 hack/test.sh                     |  4 ++--
 4 files changed, 29 insertions(+), 24 deletions(-)

diff --git a/context/scripts/entrypoint.sh b/context/scripts/entrypoint.sh
index 3e8af0f..219ff4a 100755
--- a/context/scripts/entrypoint.sh
+++ b/context/scripts/entrypoint.sh
@@ -98,20 +98,21 @@ init::node() {
     local server
     # XXX Discarded servers: hkps://keys.gnupg.net hkps://pgp.mit.edu hkps://keyoxide.org hkps://keybase.io; do
     # hkps://keys.openpgp.org <- may work as well for some of them
-    for server in hkps://keyserver.ubuntu.com; do
-      >&2 echo "gpg --batch --keyserver $server ${gpgopts[*]} --recv-keys $key"
-      # XXX gpg may return 0 but still NOT import the key if it has no user ID, so we HAVE to iterate over them all, for all keys
-      # root@af1c2517c790:/# gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B9E2F5981AA6E0CD28160D9FF13993A75599653C; echo $?
-      # gpg: key F13993A75599653C: new key but contains no user ID - skipped
-      # gpg: Total number processed: 1
-      # gpg:           w/o user IDs: 1
-      # Quite effed-up ^, gpg
-      gpg --batch --keyserver "$server" "${gpgopts[@]}" --recv-keys $key || true
-      # && break || {
-      #  >&2 echo "No dice. Moving on to next server"
-      #  continue
-      #}
-    done
+    #for server in hkps://keyserver.ubuntu.com; do
+    server=hkps://keyserver.ubuntu.com
+    >&2 echo "gpg --batch --keyserver $server ${gpgopts[*]} --recv-keys $key"
+    # XXX gpg may return 0 but still NOT import the key if it has no user ID, so we HAVE to iterate over them all, for all keys
+    # root@af1c2517c790:/# gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B9E2F5981AA6E0CD28160D9FF13993A75599653C; echo $?
+    # gpg: key F13993A75599653C: new key but contains no user ID - skipped
+    # gpg: Total number processed: 1
+    # gpg:           w/o user IDs: 1
+    # Quite effed-up ^, gpg
+    gpg --batch --keyserver "$server" "${gpgopts[@]}" --recv-keys $key || true
+    # && break || {
+    #  >&2 echo "No dice. Moving on to next server"
+    #  continue
+    #}
+    #done
     gpg --list-keys --fingerprint --with-colon "$key" | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' | head -1 | gpg --import-ownertrust 2>/dev/null
   done
 }
@@ -196,10 +197,11 @@ init::yarn() {
   local key=6A010C5166006599AA17F08146C2130DFD2497F5
   logger::debug "Importing Yarn key $key"
   # hkps://keys.openpgp.org <- may work as well for some of them
-  for server in hkps://keyserver.ubuntu.com; do
-    >&2 echo "gpg --batch --keyserver $server ${gpgopts[*]} --recv-keys $key"
-    gpg --batch --keyserver "$server" "${gpgopts[@]}" --recv-keys $key || true
-  done
+  #for server in hkps://keyserver.ubuntu.com; do
+  local server=hkps://keyserver.ubuntu.com
+  >&2 echo "gpg --batch --keyserver $server ${gpgopts[*]} --recv-keys $key"
+  gpg --batch --keyserver "$server" "${gpgopts[@]}" --recv-keys $key || true
+  #done
   gpg --list-keys --fingerprint --with-colon "$key" | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' | head -1 | gpg --import-ownertrust 2>/dev/null
 }
 
diff --git a/context/scripts/version_check.sh b/context/scripts/version_check.sh
index 9a721f1..053bc11 100755
--- a/context/scripts/version_check.sh
+++ b/context/scripts/version_check.sh
@@ -36,6 +36,7 @@ check::golang() {
 
   version="$(env::version::read "golang")"
 
+  # shellcheck disable=SC2251
   if ! newversion=$(version::latest::patch url::golang "$version" "linux/amd64"); then
     logger::error "There is a more recent patch for the version of golang you want. You must update:"
 
@@ -47,6 +48,7 @@ check::golang() {
     }
   fi
 
+  # shellcheck disable=SC2251
   if ! newversion=$(version::latest::minor url::golang "$version" "linux/amd64"); then
     ! newversion=$(version::latest::patch url::golang "$newversion" "linux/amd64")
     logger::warning "Although you are running a fully patched version of golang ($version), there is a new minor version that you should migrate to:"
@@ -60,6 +62,7 @@ check::node() {
 
   version="$(env::version::read "node")"
 
+  # shellcheck disable=SC2251
   if  ! newversion=$(version::latest::minor url::node "$version" "linux/amd64") || \
       ! newversion=$(version::latest::patch url::node "$version" "linux/amd64"); then
 
@@ -72,6 +75,7 @@ check::node() {
     }
   fi
 
+  # shellcheck disable=SC2251
   if ! newversion=$(version::latest::major url::node "$version" "linux/amd64" "evenonly"); then
     ! newversion=$(version::latest::minor url::node "$newversion" "linux/amd64")
     ! newversion=$(version::latest::patch url::node "$newversion" "linux/amd64")
@@ -83,6 +87,7 @@ check::yarn() {
   local version
 
   version="$(env::version::read "yarn")"
+  # shellcheck disable=SC2251
   if  ! newversion=$(version::latest::minor url::yarn "$version" "linux/amd64") || \
       ! newversion=$(version::latest::patch url::yarn "$version" "linux/amd64"); then
 
@@ -95,6 +100,7 @@ check::yarn() {
     }
   fi
 
+  # shellcheck disable=SC2251
   if ! newversion=$(version::latest::major url::yarn "$version"); then
     ! newversion=$(version::latest::minor url::yarn "$newversion")
     ! newversion=$(version::latest::patch url::yarn "$newversion")
diff --git a/hack/lint.sh b/hack/lint.sh
index 07f00e2..0334f25 100755
--- a/hack/lint.sh
+++ b/hack/lint.sh
@@ -24,7 +24,4 @@ if ! hadolint "${hadolint_ignore[@]}" "$root"/*Dockerfile*; then
   exit 1
 fi
 
-if ! shellcheck "$root"/**/*.sh; then
-  printf >&2 "Failed shellchecking\n"
-  exit 1
-fi
+find "$root" -iname "*.sh" -not -path "*debuerreotype*" -exec shellcheck {} \;
diff --git a/hack/test.sh b/hack/test.sh
index 3896782..aefb3b4 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-09-01 \
+	  --inject date=2021-09-15 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-09-01 \
+	  --inject date=2021-09-15 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From 443fbb0bd2c5be280230715502154173a871c8a8 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 4 Oct 2021 11:47:00 -0700
Subject: [PATCH 06/51] Bump 10-01

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    | 2 +-
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 2 +-
 Dockerfile.runtime    | 4 ++--
 hack/test.sh          | 4 ++--
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 0f3b223..d28b506 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 10f2cdd..0a147c0 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 7259264..875a9bf 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 66f591e..d13aa29 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-09-15@sha256:a0cf7d86e967172d1bdddbb472d63329af880765ed212915d57930b3379efbc4
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
 
 #######################
 # Overlay
diff --git a/hack/test.sh b/hack/test.sh
index aefb3b4..fc92c17 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-09-15 \
+	  --inject date=2021-10-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-09-15 \
+	  --inject date=2021-10-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From 815fe46f242e967923ad4b502c692a84f65a4077 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 4 Oct 2021 13:15:47 -0700
Subject: [PATCH 07/51] Bump node

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index 0a147c0..640b908 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -146,7 +146,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.17.6
+ENV           NODE_VERSION=14.18.0
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 875a9bf..f68e6dd 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.17.6
+ENV           NODE_VERSION=14.18.0
 ENV           YARN_VERSION=1.22.5
 
 ENV           GOLANG_VERSION 1.16.8

From 6f1084eefe03caefd927917b35b19d3c2762c02d Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 4 Oct 2021 13:15:58 -0700
Subject: [PATCH 08/51] Intoduce XDG defaults

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.runtime | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index d13aa29..e61efd6 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -154,4 +154,16 @@ ONBUILD RUN   [ "$BUILD_UID" == "2000" ] || { \
 # Finally downgrade to system user
 ONBUILD USER  dubo-dubon-duponey
 
-ENTRYPOINT  ["/boot/entrypoint.sh"]
+# Disable weak cryptography in GNUTLS
+ENV           GNUTLS_FORCE_FIPS_MODE=1
+
+# https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+ENV           XDG_DATA_HOME=/data
+ENV           XDG_DATA_DIRS=/data
+ENV           XDG_CONFIG_HOME=/config
+ENV           XDG_CONFIG_DIRS=/config
+ENV           XDG_RUNTIME_DIR=/tmp/runtime
+ENV           XDG_STATE_HOME=/tmp/state
+ENV           XDG_CACHE_HOME=/tmp/cache
+
+ENTRYPOINT    ["/boot/entrypoint.sh"]

From 6327d76d441bc6222a61872d3469abada137ded5 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 11 Oct 2021 16:08:27 -0700
Subject: [PATCH 09/51] Doc

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3fee91e..f1eae30 100644
--- a/README.md
+++ b/README.md
@@ -5,14 +5,14 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
 * `ghcr.io/dubo-dubon-duponey/base:runtime-latest` and `ghcr.io/dubo-dubon-duponey/base:runtime-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-09-01`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
 * `ghcr.io/dubo-dubon-duponey/base:builder-latest` and `ghcr.io/dubo-dubon-duponey/base:builder-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-09-01`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-01`)
   * golang, python, and essential cross compilation dev & build tools
 * `ghcr.io/dubo-dubon-duponey/base:node-latest` and `ghcr.io/dubo-dubon-duponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg

From 1ec92d41cd84b3b3710575e69399603ac83a003c Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Fri, 15 Oct 2021 14:41:52 -0700
Subject: [PATCH 10/51] Bump and tweaks

- 2021-10-15
- bump node and go
- rejiggle package install to be less opaque to audit tool

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    | 12 ++++++------
 Dockerfile.builder    | 20 ++++++++++++--------
 Dockerfile.downloader | 21 +++++++++++----------
 Dockerfile.runtime    |  4 ++--
 4 files changed, 31 insertions(+), 26 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index d28b506..caf31e4 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -12,19 +12,19 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=NETRC \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
-              packages=(); \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 dpkg --add-architecture "$architecture"; \
-                packages+=(libc6:"$architecture"=2.31-13); \
               done; \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
                 curl=7.74.0-1.3+b1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
                 procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
                 dnsutils=1:9.16.15-1 iputils-ping=3:20210202-1 \
-                lynis=3.0.2-1 devscripts=2.21.3; \
-              apt-get install -qq --no-install-recommends \
-                "${packages[@]}"; \
+                lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
+              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+                apt-get install -qq --no-install-recommends \
+                  libc6:"$architecture"=2.31-13+deb11u2; \
+              done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
               rm -rf /var/lib/apt/lists/*; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 640b908..12779de 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
 
 #######################
 # Actual "builder" image
@@ -31,10 +31,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=NETRC \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
-              packages=(); \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 dpkg --add-architecture "$architecture"; \
-                packages+=(crossbuild-essential-"$architecture"=12.9 musl-dev:"$architecture"=1.2.2-1 musl:"$architecture"=1.2.2-1 libc6:"$architecture"=2.31-13 libc6-dev:"$architecture"=2.31-13); \
               done; \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
@@ -47,8 +45,14 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 curl=7.74.0-1.3+b1 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
-              apt-get install -qq --no-install-recommends \
-                "${packages[@]}"; \
+              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+                apt-get install -qq --no-install-recommends \
+                  crossbuild-essential-"$architecture"=12.9 \
+                  musl-dev:"$architecture"=1.2.2-1 \
+                  musl:"$architecture"=1.2.2-1 \
+                  libc6:"$architecture"=2.31-13+deb11u2 \
+                  libc6-dev:"$architecture"=2.31-13+deb11u2; \
+              done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
               rm -rf /var/lib/apt/lists/*; \
@@ -62,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION=1.16.8
+ENV           GOLANG_VERSION=1.16.9
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -146,7 +150,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.18.0
+ENV           NODE_VERSION=14.18.1
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -205,7 +209,7 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-ENV           GOLANG_VERSION=1.16.8
+ENV           GOLANG_VERSION=1.16.9
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index f68e6dd..c26c9e8 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,17 +8,18 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.18.0
+ENV           NODE_VERSION=14.18.1
 ENV           YARN_VERSION=1.22.5
 
-ENV           GOLANG_VERSION 1.16.8
-ENV           GOLANG_LINUX_AMD64_SHA512 ce6683bcafb5f0a980dcf1099202f00849ace729381eb3c10b77465f3e26f511990ab4ada7116231aa4ca51f004c3385991a982b5f8003f198fe5819868ed5b7
-ENV           GOLANG_LINUX_ARM64_SHA512 5b35aa242ad725fca6d6e5a60eb41532cd27319fe8acd728d14e51528009fd6245f0e33a12a3fb778102d647db606fa67b5cb55623f42825f6b6977b0dbd8422
-ENV           GOLANG_LINUX_ARM_V7_SHA512 9c8d5cff0d909880a7d3a82c16da36bd9d1287a35c5737d6bff3449e6b093420a405c0bfeb55c882df12b6315ef6fd274a22cda22cc5ca380c59b7e7e10db0e8
-ENV           GOLANG_LINUX_ARM_V6_SHA512 9c8d5cff0d909880a7d3a82c16da36bd9d1287a35c5737d6bff3449e6b093420a405c0bfeb55c882df12b6315ef6fd274a22cda22cc5ca380c59b7e7e10db0e8
-ENV           GOLANG_LINUX_386_SHA512 143fd36c89485b93c5c242f8b4cc300d545046bbaa84457672bb64085f6e53a43cb1cc8152f342c3c3dbd12e459a43382e9bf3817fa5424e68ec00e8150a4f09
-ENV           GOLANG_LINUX_S390X_SHA512 021acdcc2cdeac9dd999f88e6515e79891d3d01229fc77ef8492de83589db5ca7d0379a5f3d59bc43dd3fe938951f7ee0972091d919caa4ff8c23018b0b7b3dd
-ENV           GOLANG_LINUX_PPC64LE_SHA512 e56ce2c98a0a4b5093de543a09849f835107906d8f151f30955365ea1b3dda1cbf007fb28d048299c745300bc4f085ac91182e44472601432a525ee955af6675
+ENV           GOLANG_VERSION 1.16.9
+ENV           GOLANG_LINUX_AMD64_SHA512 3ef3aed706b9e7c3a877597dde0f0e676e36223929cbd6b0bb4bbecf0b6f49ebac2c4f87cfd306b1d002fe162c1f9c5dfd6f8711125d002962bd1f05fdb78089
+ENV           GOLANG_LINUX_ARM64_SHA512 1c2a27e2b2c24914f5938a5ca92e69dbee5e595e9c547123202c58c3aa12c59dc1db2c88eb8a5961100686abdc171bdf285e00b07c55fd8b0c78108e1e2db133
+ENV           GOLANG_LINUX_ARM_V7_SHA512 f305df56173f629c796585240ace5c42840f529c79b3ce286764aee727e7c5a58d998488fcde18ebba0fefa1b077714bad5e549831d96ad9a8b9afa081039dd8
+ENV           GOLANG_LINUX_ARM_V6_SHA512 f305df56173f629c796585240ace5c42840f529c79b3ce286764aee727e7c5a58d998488fcde18ebba0fefa1b077714bad5e549831d96ad9a8b9afa081039dd8
+ENV           GOLANG_LINUX_386_SHA512 5b10884c842a788a1f30ae4d51ffe0b22490f2befc8a64ff1da7c8fc11025d8f35c291ed7629bc00198d8b8256f6bdb49c1092a8ab9645722512639e53342a12
+ENV           GOLANG_LINUX_S390X_SHA512 5a65ef28fb79d7b415bee2e921e7480f62dd09833ec35c2a962a45b8a54f092a6b3d18715fb6176ace6e3974ecf0c896b156d9996a35a496db7fbe8f56eeef04
+ENV           GOLANG_LINUX_PPC64LE_SHA512 4e72331bc318ef8942bc62823a3d6a6d4e4dd4baff5b8f6407caabde6a25bb671740910ddc75bd3043547cd59ad502c4faaee126788bb29f41551c56880a6747
+
 
 #ENV           GOLANG_OLD_VERSION 1.15.13
 #ENV           GOLANG_OLD_LINUX_AMD64_SHA512 866aa22f9ecdba3c250f206d71ced5857aee67bf8da470b68447c11488dc80e243e985c9baeedf56476ddc113320bf0ed5efe8453bd3da071c4aa3abb58e142d
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index e61efd6..c86f61f 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-01@sha256:a7606a62eb3333b41d8592c551de866b55ecc7bdee5b05bd0e9ca0ab356da83d
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
 
 #######################
 # Overlay

From 3ab62997e69e224baf39df7b286d18f9285deea0 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Fri, 15 Oct 2021 21:49:31 -0700
Subject: [PATCH 11/51] Doc

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 README.md    | 4 ++--
 hack/test.sh | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index f1eae30..4da8aff 100644
--- a/README.md
+++ b/README.md
@@ -5,14 +5,14 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
 * `ghcr.io/dubo-dubon-duponey/base:runtime-latest` and `ghcr.io/dubo-dubon-duponey/base:runtime-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-01`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-15`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
 * `ghcr.io/dubo-dubon-duponey/base:builder-latest` and `ghcr.io/dubo-dubon-duponey/base:builder-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-01`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-15`)
   * golang, python, and essential cross compilation dev & build tools
 * `ghcr.io/dubo-dubon-duponey/base:node-latest` and `ghcr.io/dubo-dubon-duponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
diff --git a/hack/test.sh b/hack/test.sh
index fc92c17..7661776 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-10-01 \
+	  --inject date=2021-10-15 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-10-01 \
+	  --inject date=2021-10-15 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From 46b79501c01a4e110de98bb0bcee2c200a294d3c Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 19 Oct 2021 19:47:00 -0700
Subject: [PATCH 12/51] Minor validate script fixes and disaster recovery from
 registry failed GC

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    | 2 +-
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 2 +-
 Dockerfile.runtime    | 4 ++--
 context/dubo-check    | 9 ++++++++-
 5 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index caf31e4..96cca4a 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 12779de..52ad128 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index c26c9e8..a3393cd 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index c86f61f..91752c9 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:458b490df863df7f395d35de46abf2f8c86cde3239c513a7ab3f28817f8ac1c6
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
 
 #######################
 # Overlay
diff --git a/context/dubo-check b/context/dubo-check
index e686d8d..93305d1 100755
--- a/context/dubo-check
+++ b/context/dubo-check
@@ -21,6 +21,10 @@ validate(){
   local failed=()
   local ignored=()
   local check
+  [ ! -d "$binary" ] || {
+    print "%s is a directory. Doing nothing" "$binary"
+    return
+  }
   for check in "${CHECKLIST[@]}"; do
     [ "${!check:-}" == true ] || { ignored+=("$check"); continue; }
     case "$check" in
@@ -46,7 +50,10 @@ validate(){
         [ ! "$(printf "%s" "$DYN")" ] && passed+=("$check") || failed+=("$check")
       ;;
       "RUNNING")
-        "$binary" "--version" >/dev/null 2>&1 || "$binary" version >/dev/null 2>&1  && passed+=("$check") || {
+        "$binary" "--version" >/dev/null 2>&1 \
+        || "$binary" version >/dev/null 2>&1  \
+        || "$binary" --help >/dev/null 2>&1 \
+        && passed+=("$check") || {
           failed+=("$check")
           >&2 printf "FAILING TO RUN BINARY. This is usually quite bad. Output was:\n"
           >&2 "$binary" "--version" || true

From 2825f3e59cd05059ff171b31ef2f45044e4a692f Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 27 Oct 2021 08:12:04 -0700
Subject: [PATCH 13/51] Config home move

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.runtime | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 91752c9..93ae968 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -160,7 +160,7 @@ ENV           GNUTLS_FORCE_FIPS_MODE=1
 # https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
 ENV           XDG_DATA_HOME=/data
 ENV           XDG_DATA_DIRS=/data
-ENV           XDG_CONFIG_HOME=/config
+ENV           XDG_CONFIG_HOME=/tmp/config
 ENV           XDG_CONFIG_DIRS=/config
 ENV           XDG_RUNTIME_DIR=/tmp/runtime
 ENV           XDG_STATE_HOME=/tmp/state

From de07373a78a7945f69cbb5e01772e65d3adff04b Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Fri, 5 Nov 2021 16:43:09 -0700
Subject: [PATCH 14/51] Nov bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    | 2 +-
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 2 +-
 Dockerfile.runtime    | 4 ++--
 README.md             | 4 ++--
 hack/test.sh          | 4 ++--
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 96cca4a..aad999d 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 52ad128..897ccce 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index a3393cd..3225415 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 93ae968..a576485 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-10-15@sha256:acf4260f850e11b617ffdb44810487973af567bbff74cfe5d1756f140254576e
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
 
 #######################
 # Overlay
diff --git a/README.md b/README.md
index 4da8aff..8eb6737 100644
--- a/README.md
+++ b/README.md
@@ -5,14 +5,14 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
 * `ghcr.io/dubo-dubon-duponey/base:runtime-latest` and `ghcr.io/dubo-dubon-duponey/base:runtime-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-15`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
 * `ghcr.io/dubo-dubon-duponey/base:builder-latest` and `ghcr.io/dubo-dubon-duponey/base:builder-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-10-15`)
+  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
   * golang, python, and essential cross compilation dev & build tools
 * `ghcr.io/dubo-dubon-duponey/base:node-latest` and `ghcr.io/dubo-dubon-duponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
diff --git a/hack/test.sh b/hack/test.sh
index 7661776..8811ce7 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-10-15 \
+	  --inject date=2021-11-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-10-15 \
+	  --inject date=2021-11-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From 6f512cca3eeb0f2b00403bc82a487779f0b7be83 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Fri, 5 Nov 2021 16:43:29 -0700
Subject: [PATCH 15/51] + bash-static

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.runtime | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index a576485..d5b2210 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -23,7 +23,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                ca-certificates=20210119
+                ca-certificates=20210119 \
+                bash-static=5.1-2+b3
 
 RUN           update-ca-certificates
 
@@ -31,7 +32,9 @@ RUN           epoch="$(date --date "$BUILD_CREATED" +%s)"; \
               find /etc/ssl/certs -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +; \
               find /usr/share/ca-certificates -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +
 
-RUN           tar -cf /overlay.tar /etc/ssl/certs /usr/share/ca-certificates
+RUN           mkdir -p /boot/bin; cp /bin/bash-static /boot/bin/bash
+
+RUN           tar -cf /overlay.tar /etc/ssl/certs /usr/share/ca-certificates /boot/bin
 
 ########################################################################################################################
 # Export of the above

From dc7cd40dde2e87c0033dab2d34b84e72810179ab Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Fri, 5 Nov 2021 17:16:03 -0700
Subject: [PATCH 16/51] Bump golang

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    |  4 ++--
 Dockerfile.downloader | 16 ++++++++--------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index 897ccce..81abdbc 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -66,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION=1.16.9
+ENV           GOLANG_VERSION=1.16.10
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -209,7 +209,7 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-ENV           GOLANG_VERSION=1.16.9
+ENV           GOLANG_VERSION=1.16.10
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 3225415..9beeb44 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -11,14 +11,14 @@ ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 ENV           NODE_VERSION=14.18.1
 ENV           YARN_VERSION=1.22.5
 
-ENV           GOLANG_VERSION 1.16.9
-ENV           GOLANG_LINUX_AMD64_SHA512 3ef3aed706b9e7c3a877597dde0f0e676e36223929cbd6b0bb4bbecf0b6f49ebac2c4f87cfd306b1d002fe162c1f9c5dfd6f8711125d002962bd1f05fdb78089
-ENV           GOLANG_LINUX_ARM64_SHA512 1c2a27e2b2c24914f5938a5ca92e69dbee5e595e9c547123202c58c3aa12c59dc1db2c88eb8a5961100686abdc171bdf285e00b07c55fd8b0c78108e1e2db133
-ENV           GOLANG_LINUX_ARM_V7_SHA512 f305df56173f629c796585240ace5c42840f529c79b3ce286764aee727e7c5a58d998488fcde18ebba0fefa1b077714bad5e549831d96ad9a8b9afa081039dd8
-ENV           GOLANG_LINUX_ARM_V6_SHA512 f305df56173f629c796585240ace5c42840f529c79b3ce286764aee727e7c5a58d998488fcde18ebba0fefa1b077714bad5e549831d96ad9a8b9afa081039dd8
-ENV           GOLANG_LINUX_386_SHA512 5b10884c842a788a1f30ae4d51ffe0b22490f2befc8a64ff1da7c8fc11025d8f35c291ed7629bc00198d8b8256f6bdb49c1092a8ab9645722512639e53342a12
-ENV           GOLANG_LINUX_S390X_SHA512 5a65ef28fb79d7b415bee2e921e7480f62dd09833ec35c2a962a45b8a54f092a6b3d18715fb6176ace6e3974ecf0c896b156d9996a35a496db7fbe8f56eeef04
-ENV           GOLANG_LINUX_PPC64LE_SHA512 4e72331bc318ef8942bc62823a3d6a6d4e4dd4baff5b8f6407caabde6a25bb671740910ddc75bd3043547cd59ad502c4faaee126788bb29f41551c56880a6747
+ENV           GOLANG_VERSION 1.16.10
+ENV           GOLANG_LINUX_AMD64_SHA512 5f5b04eacff72a517bee048485084bd4acbd314e8e0ecceade1ff99d5a4ddfd255d180c6adcea6b13b7ad28a99ceb621860bf2d775a9f8568cfa97ab614e13a6
+ENV           GOLANG_LINUX_ARM64_SHA512 1468e083f5fb223f686ce9d76d8183fdcc69a4c4a829eafc14cdd37c44e4047e2772745574a16ec6f2f04bddbc814b3b16a40c9a1f0a7e1fbf26f90d4c0c0db4
+ENV           GOLANG_LINUX_ARM_V7_SHA512 169b1e41d47672319a8240d444cd85093b4485b18e5b4fc75ad43f5376393abb1ead918a7cd81389f30d7612341763e7cf2a6433e486ac7e0e7578bf4731334f
+ENV           GOLANG_LINUX_ARM_V6_SHA512 169b1e41d47672319a8240d444cd85093b4485b18e5b4fc75ad43f5376393abb1ead918a7cd81389f30d7612341763e7cf2a6433e486ac7e0e7578bf4731334f
+ENV           GOLANG_LINUX_386_SHA512 522d69530a9c3b7bf61a1b1c31a87e888c1f54fcc662eaaeeee3b2fd1f3abea644747849490afef3c445c526efb8f1305cddff415793fcdf2d7aa564653d363e
+ENV           GOLANG_LINUX_S390X_SHA512 b01fd9e05ca695ed436e435cafeed4ee097067e1f322b3523d5d1de4aad37efe34266ba980fe3a089158745ba0890cd30c070ce3cfb199a52e5f9cb5488be424
+ENV           GOLANG_LINUX_PPC64LE_SHA512 34d69040be8d8ffeffaeeeb9ba1f88040edb557e5494a74a0cda42cf5da6210e43d7a2c76d7e816eba012fb0e7072d397a5ac5bc05e8f4baccb2095705165c88
 
 
 #ENV           GOLANG_OLD_VERSION 1.15.13

From 506dd5c33bf3d12a7cc990145fc9c4fea1f81474 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 15 Nov 2021 15:40:46 -0800
Subject: [PATCH 17/51] Runtime emergency fix

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.runtime | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index d5b2210..7881058 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -23,8 +23,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                ca-certificates=20210119 \
-                bash-static=5.1-2+b3
+                ca-certificates=20210119
 
 RUN           update-ca-certificates
 
@@ -32,8 +31,6 @@ RUN           epoch="$(date --date "$BUILD_CREATED" +%s)"; \
               find /etc/ssl/certs -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +; \
               find /usr/share/ca-certificates -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +
 
-RUN           mkdir -p /boot/bin; cp /bin/bash-static /boot/bin/bash
-
 RUN           tar -cf /overlay.tar /etc/ssl/certs /usr/share/ca-certificates /boot/bin
 
 ########################################################################################################################
@@ -55,6 +52,24 @@ COPY          --from=overlay-builder /overlay.tar /overlay.tar
 #######################
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS runtime
 
+RUN           --mount=type=secret,uid=100,id=CA \
+              --mount=type=secret,uid=100,id=CERTIFICATE \
+              --mount=type=secret,uid=100,id=KEY \
+              --mount=type=secret,uid=100,id=GPG.gpg \
+              --mount=type=secret,id=NETRC \
+              --mount=type=secret,id=APT_SOURCES \
+              --mount=type=secret,id=APT_CONFIG \
+              apt-get update -qq && \
+              apt-get install -qq --no-install-recommends bash-static=5.1-2+b3 && \
+              mkdir -p /boot/bin && \
+              cp /bin/bash-static /boot/bin/bash && \
+              apt-get -qq purge bash-static && \
+              apt-get -qq autoremove      && \
+              apt-get -qq clean           && \
+              rm -rf /var/lib/apt/lists/* && \
+              rm -rf /tmp/*               && \
+              rm -rf /var/tmp/*
+
 # We use this to set mtime on newly created folders
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 

From d6c2937b7a87d7bb5a0941212eea362467fe0f33 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 26 Feb 2022 16:03:56 -0800
Subject: [PATCH 18/51] Up

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    | 2 +-
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 2 +-
 Dockerfile.runtime    | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index aad999d..0e511e0 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 81abdbc..12aaae2 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 9beeb44..93228da 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 7881058..ee6ad81 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2021-11-01@sha256:273567cc10e0d263212ad99a7da2c8267daa70c476024cc9d4ffdf94f47022a5
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
 
 #######################
 # Overlay

From b2b9d7206122871218f850e18ea844ea88b99ed7 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 26 Feb 2022 17:10:19 -0800
Subject: [PATCH 19/51] Up

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    |  4 ++--
 Dockerfile.builder    |  6 +++---
 Dockerfile.downloader | 21 ++++++++++-----------
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 0e511e0..587a748 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -17,9 +17,9 @@ RUN           --mount=type=secret,uid=100,id=CA \
               done; \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+b1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
+                curl=7.74.0-1.3+deb11u1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
                 procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
-                dnsutils=1:9.16.15-1 iputils-ping=3:20210202-1 \
+                dnsutils=1:9.16.22-1~deb11u1 iputils-ping=3:20210202-1 \
                 lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 apt-get install -qq --no-install-recommends \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 12aaae2..c9d5363 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -42,7 +42,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 libtool=2.4.6-15 \
 		            pkg-config=0.29.2-1 \
                 jq=1.6-2.1 \
-                curl=7.74.0-1.3+b1 \
+                curl=7.74.0-1.3+deb11u1 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
@@ -150,7 +150,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.18.1
+ENV           NODE_VERSION=14.19.0
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -249,7 +249,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+b1 \
+                curl=7.74.0-1.3+deb11u1 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
               apt-get -qq autoremove; \
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 93228da..baabc2d 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -8,18 +8,17 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.18.1
+ENV           NODE_VERSION=14.19.0
 ENV           YARN_VERSION=1.22.5
 
-ENV           GOLANG_VERSION 1.16.10
-ENV           GOLANG_LINUX_AMD64_SHA512 5f5b04eacff72a517bee048485084bd4acbd314e8e0ecceade1ff99d5a4ddfd255d180c6adcea6b13b7ad28a99ceb621860bf2d775a9f8568cfa97ab614e13a6
-ENV           GOLANG_LINUX_ARM64_SHA512 1468e083f5fb223f686ce9d76d8183fdcc69a4c4a829eafc14cdd37c44e4047e2772745574a16ec6f2f04bddbc814b3b16a40c9a1f0a7e1fbf26f90d4c0c0db4
-ENV           GOLANG_LINUX_ARM_V7_SHA512 169b1e41d47672319a8240d444cd85093b4485b18e5b4fc75ad43f5376393abb1ead918a7cd81389f30d7612341763e7cf2a6433e486ac7e0e7578bf4731334f
-ENV           GOLANG_LINUX_ARM_V6_SHA512 169b1e41d47672319a8240d444cd85093b4485b18e5b4fc75ad43f5376393abb1ead918a7cd81389f30d7612341763e7cf2a6433e486ac7e0e7578bf4731334f
-ENV           GOLANG_LINUX_386_SHA512 522d69530a9c3b7bf61a1b1c31a87e888c1f54fcc662eaaeeee3b2fd1f3abea644747849490afef3c445c526efb8f1305cddff415793fcdf2d7aa564653d363e
-ENV           GOLANG_LINUX_S390X_SHA512 b01fd9e05ca695ed436e435cafeed4ee097067e1f322b3523d5d1de4aad37efe34266ba980fe3a089158745ba0890cd30c070ce3cfb199a52e5f9cb5488be424
-ENV           GOLANG_LINUX_PPC64LE_SHA512 34d69040be8d8ffeffaeeeb9ba1f88040edb557e5494a74a0cda42cf5da6210e43d7a2c76d7e816eba012fb0e7072d397a5ac5bc05e8f4baccb2095705165c88
-
+ENV           GOLANG_VERSION 1.16.14
+ENV           GOLANG_LINUX_AMD64_SHA512 d20a8c29ee63d28dc423631d68937053280d7946f5c3f6c6c432942c9bf88e250bedf0f6196493264a95132e82c3e1757024f583219a1f1383f162b73d0e7489
+ENV           GOLANG_LINUX_ARM64_SHA512 007dcfd406df6e7a35f31884a512476d92a4473246ab9e378997cbdd71dc3de5cc8bc0406e37518fbae26df3762af3234c4ab96a69a1f19533a11d93086905c3
+ENV           GOLANG_LINUX_ARM_V7_SHA512 32294904f7bf30fb3ba4d9671fa7cd574a6c988f319caf8f840184e8bd31a9b7f2f4d6f962310aa728a42a9b19fab44bec4c9b79aeb03b969a648278a76475be
+ENV           GOLANG_LINUX_ARM_V6_SHA512 32294904f7bf30fb3ba4d9671fa7cd574a6c988f319caf8f840184e8bd31a9b7f2f4d6f962310aa728a42a9b19fab44bec4c9b79aeb03b969a648278a76475be
+ENV           GOLANG_LINUX_386_SHA512 8d2593f85003634a89ac946963f641bbeccd51f349ea089a7437fb7daa0deaa23906423f48913a1dc2df8987fdb31b33496ae64fd148cd08d9c975702b5bda10
+ENV           GOLANG_LINUX_S390X_SHA512 bce0193148a50fef7855a515ec665bda680abaf752b8b802c87ab5b5e05eabe7590a559ddea2625b40f92360f8b4b2769956259aa0a011b0bfa2b7318a8d49da
+ENV           GOLANG_LINUX_PPC64LE_SHA512 44b328bcee5fd902bec2b09fc1115f83582af84da40dd1c7f5c77da88cd685aa5466a59f0b27bfb3be21e9723aa07c004c33c8f218ae4436afe1b74c02a062a9
 
 #ENV           GOLANG_OLD_VERSION 1.15.13
 #ENV           GOLANG_OLD_LINUX_AMD64_SHA512 866aa22f9ecdba3c250f206d71ced5857aee67bf8da470b68447c11488dc80e243e985c9baeedf56476ddc113320bf0ed5efe8453bd3da071c4aa3abb58e142d
@@ -43,7 +42,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               apt-get update -qq; \
               apt-cache show curl gnupg dirmngr ca-certificates; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+b1 \
+                curl=7.74.0-1.3+deb11u1 \
                 gnupg=2.2.27-2 \
                 dirmngr=2.2.27-2 \
                 ca-certificates=20210119

From f428892f521f6905c7824672641f5165e6b7ded1 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 9 Apr 2022 10:07:51 -0700
Subject: [PATCH 20/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    |  6 +++---
 Dockerfile.downloader | 18 +++++++++---------
 Dockerfile.runtime    |  2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index c9d5363..838967c 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -66,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION=1.16.10
+ENV           GOLANG_VERSION=1.16.15
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -150,7 +150,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.19.0
+ENV           NODE_VERSION=14.19.1
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -209,7 +209,7 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-ENV           GOLANG_VERSION=1.16.10
+ENV           GOLANG_VERSION=1.16.15
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index baabc2d..3bdeddf 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -8,17 +8,17 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.19.0
+ENV           NODE_VERSION=14.19.1
 ENV           YARN_VERSION=1.22.5
 
-ENV           GOLANG_VERSION 1.16.14
-ENV           GOLANG_LINUX_AMD64_SHA512 d20a8c29ee63d28dc423631d68937053280d7946f5c3f6c6c432942c9bf88e250bedf0f6196493264a95132e82c3e1757024f583219a1f1383f162b73d0e7489
-ENV           GOLANG_LINUX_ARM64_SHA512 007dcfd406df6e7a35f31884a512476d92a4473246ab9e378997cbdd71dc3de5cc8bc0406e37518fbae26df3762af3234c4ab96a69a1f19533a11d93086905c3
-ENV           GOLANG_LINUX_ARM_V7_SHA512 32294904f7bf30fb3ba4d9671fa7cd574a6c988f319caf8f840184e8bd31a9b7f2f4d6f962310aa728a42a9b19fab44bec4c9b79aeb03b969a648278a76475be
-ENV           GOLANG_LINUX_ARM_V6_SHA512 32294904f7bf30fb3ba4d9671fa7cd574a6c988f319caf8f840184e8bd31a9b7f2f4d6f962310aa728a42a9b19fab44bec4c9b79aeb03b969a648278a76475be
-ENV           GOLANG_LINUX_386_SHA512 8d2593f85003634a89ac946963f641bbeccd51f349ea089a7437fb7daa0deaa23906423f48913a1dc2df8987fdb31b33496ae64fd148cd08d9c975702b5bda10
-ENV           GOLANG_LINUX_S390X_SHA512 bce0193148a50fef7855a515ec665bda680abaf752b8b802c87ab5b5e05eabe7590a559ddea2625b40f92360f8b4b2769956259aa0a011b0bfa2b7318a8d49da
-ENV           GOLANG_LINUX_PPC64LE_SHA512 44b328bcee5fd902bec2b09fc1115f83582af84da40dd1c7f5c77da88cd685aa5466a59f0b27bfb3be21e9723aa07c004c33c8f218ae4436afe1b74c02a062a9
+ENV           GOLANG_VERSION 1.16.15
+ENV           GOLANG_LINUX_AMD64_SHA512 4b034e9ded3b2f67e271d07185e697854f4c22018f26312b9118443331b585f0576c2655de899e7c66082218bc00810ba52f7f45832103e7da9320056b4d6e47
+ENV           GOLANG_LINUX_ARM64_SHA512 96f5a1f0897fdc5fa3e7e69ac4cc111cc5d0683f82b2338c3aec58b59e8fa882e1a6c3debff01e53cb542d068f16ab7ba626e04bde5171a5d3c1d6cc2285f5bf
+ENV           GOLANG_LINUX_ARM_V7_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
+ENV           GOLANG_LINUX_ARM_V6_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
+ENV           GOLANG_LINUX_386_SHA512 d55d44df79f99a35f1544bb50c2d97bb7fc6eea894bfef68073a98d43f989cc09f6ccadac1da90f7130954d10b8533fe355fa5ee301c9110cb5225730e0c0b71
+ENV           GOLANG_LINUX_S390X_SHA512 453e27ef9b3a84a9dd8e30e287971c338952e889c2463fcc32275c86c7bcbb569cf1fad9652c3aded2e88eaf23fcd38149592b4627adefb4e9967a0cebb05c04
+ENV           GOLANG_LINUX_PPC64LE_SHA512 858009ec3e9800975c6a0eb144e1af256470f397b820273ab4bcfaa44d7dc32bd1ae9ba37ec3c653585bf4e5f206f07b08765bddcf09cf70197d55bdef0c1676
 
 #ENV           GOLANG_OLD_VERSION 1.15.13
 #ENV           GOLANG_OLD_LINUX_AMD64_SHA512 866aa22f9ecdba3c250f206d71ced5857aee67bf8da470b68447c11488dc80e243e985c9baeedf56476ddc113320bf0ed5efe8453bd3da071c4aa3abb58e142d
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index ee6ad81..dc516a1 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -31,7 +31,7 @@ RUN           epoch="$(date --date "$BUILD_CREATED" +%s)"; \
               find /etc/ssl/certs -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +; \
               find /usr/share/ca-certificates -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +
 
-RUN           tar -cf /overlay.tar /etc/ssl/certs /usr/share/ca-certificates /boot/bin
+RUN           tar -cf /overlay.tar /etc/ssl/certs /usr/share/ca-certificates
 
 ########################################################################################################################
 # Export of the above

From 446f4d2b6ccd68c5bf1c1d204d726c673687387b Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 9 Apr 2022 10:27:41 -0700
Subject: [PATCH 21/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    | 4 ++--
 Dockerfile.builder    | 6 +++---
 Dockerfile.downloader | 6 +++---
 Dockerfile.runtime    | 4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 587a748..8facdbc 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -23,7 +23,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 apt-get install -qq --no-install-recommends \
-                  libc6:"$architecture"=2.31-13+deb11u2; \
+                  libc6:"$architecture"=2.31-13+deb11u3; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 838967c..503ba12 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
 
 #######################
 # Actual "builder" image
@@ -50,8 +50,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
                   crossbuild-essential-"$architecture"=12.9 \
                   musl-dev:"$architecture"=1.2.2-1 \
                   musl:"$architecture"=1.2.2-1 \
-                  libc6:"$architecture"=2.31-13+deb11u2 \
-                  libc6-dev:"$architecture"=2.31-13+deb11u2; \
+                  libc6:"$architecture"=2.31-13+deb11u3 \
+                  libc6-dev:"$architecture"=2.31-13+deb11u3; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 3bdeddf..ba07beb 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -43,8 +43,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               apt-cache show curl gnupg dirmngr ca-certificates; \
               apt-get install -qq --no-install-recommends \
                 curl=7.74.0-1.3+deb11u1 \
-                gnupg=2.2.27-2 \
-                dirmngr=2.2.27-2 \
+                gnupg=2.2.27-2+deb11u1 \
+                dirmngr=2.2.27-2+deb11u1 \
                 ca-certificates=20210119
 
 COPY          ./scripts /scripts
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index dc516a1..0187798 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-01-01@sha256:6a79de0a961cc825a88cbaca27de2ed4277bf6a1bcf30ce645c59d0927204379
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
 
 #######################
 # Overlay

From 07afd7d1ebfb9ebeb8cc1f15cd09fd13c81f012d Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 9 Apr 2022 11:08:23 -0700
Subject: [PATCH 22/51] Fix dnsutils

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 8facdbc..f277017 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -19,7 +19,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               apt-get install -qq --no-install-recommends \
                 curl=7.74.0-1.3+deb11u1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
                 procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
-                dnsutils=1:9.16.22-1~deb11u1 iputils-ping=3:20210202-1 \
+                dnsutils=1:9.16.27-1~deb11u1 iputils-ping=3:20210202-1 \
                 lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 apt-get install -qq --no-install-recommends \

From 0a28e5bc036c0f9c17f52790c98b2fd6090a1960 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 11 Apr 2022 14:50:29 -0700
Subject: [PATCH 23/51] Golang bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    |  6 ++++--
 Dockerfile.downloader | 34 +++++++++++++++++-----------------
 2 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index 503ba12..7c1dfd5 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -66,7 +66,8 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION=1.16.15
+ENV           GOLANG_VERSION 1.17.8
+#ENV           GOLANG_VERSION=1.16.15
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -209,7 +210,8 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-ENV           GOLANG_VERSION=1.16.15
+#ENV           GOLANG_VERSION=1.16.15
+ENV           GOLANG_VERSION 1.17.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index ba07beb..7d3c8a2 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -11,23 +11,23 @@ ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 ENV           NODE_VERSION=14.19.1
 ENV           YARN_VERSION=1.22.5
 
-ENV           GOLANG_VERSION 1.16.15
-ENV           GOLANG_LINUX_AMD64_SHA512 4b034e9ded3b2f67e271d07185e697854f4c22018f26312b9118443331b585f0576c2655de899e7c66082218bc00810ba52f7f45832103e7da9320056b4d6e47
-ENV           GOLANG_LINUX_ARM64_SHA512 96f5a1f0897fdc5fa3e7e69ac4cc111cc5d0683f82b2338c3aec58b59e8fa882e1a6c3debff01e53cb542d068f16ab7ba626e04bde5171a5d3c1d6cc2285f5bf
-ENV           GOLANG_LINUX_ARM_V7_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
-ENV           GOLANG_LINUX_ARM_V6_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
-ENV           GOLANG_LINUX_386_SHA512 d55d44df79f99a35f1544bb50c2d97bb7fc6eea894bfef68073a98d43f989cc09f6ccadac1da90f7130954d10b8533fe355fa5ee301c9110cb5225730e0c0b71
-ENV           GOLANG_LINUX_S390X_SHA512 453e27ef9b3a84a9dd8e30e287971c338952e889c2463fcc32275c86c7bcbb569cf1fad9652c3aded2e88eaf23fcd38149592b4627adefb4e9967a0cebb05c04
-ENV           GOLANG_LINUX_PPC64LE_SHA512 858009ec3e9800975c6a0eb144e1af256470f397b820273ab4bcfaa44d7dc32bd1ae9ba37ec3c653585bf4e5f206f07b08765bddcf09cf70197d55bdef0c1676
-
-#ENV           GOLANG_OLD_VERSION 1.15.13
-#ENV           GOLANG_OLD_LINUX_AMD64_SHA512 866aa22f9ecdba3c250f206d71ced5857aee67bf8da470b68447c11488dc80e243e985c9baeedf56476ddc113320bf0ed5efe8453bd3da071c4aa3abb58e142d
-#ENV           GOLANG_OLD_LINUX_ARM64_SHA512 362499cd4640bd7a9a7358afbcdd89783c0af5ac2a2209a37e8f15dc2e1392fa1d4704ec33cdf28fa00c09a13b36568e639634b8fa89b958ee7fa9237f1f3e93
-#ENV           GOLANG_OLD_LINUX_ARM_V7_SHA512 26eff19aeef922554f6582767488182bf16e3278e0c124f6d0c6524db441465b6c1432976c4c6e88b84a2aab385280e1dd374428c2ac0070806593e108f2ad54
-#ENV           GOLANG_OLD_LINUX_ARM_V6_SHA512 26eff19aeef922554f6582767488182bf16e3278e0c124f6d0c6524db441465b6c1432976c4c6e88b84a2aab385280e1dd374428c2ac0070806593e108f2ad54
-#ENV           GOLANG_OLD_LINUX_386_SHA512 6c92732fb2ce75b084cb925e9813d45d626cae8193a1fa4a8f057e65bef1ff6bb64ac68d417dedae51ebae1182b54fb9365ac82dcc42751b2fc697aad015625a
-#ENV           GOLANG_OLD_LINUX_S390X_SHA512 0739486667d6a9ea9514dce309afb28a38505ae49337fc3223dcff038685858afbe1f507b6d4d4b89872874e01d01ceac7f0f814f439fbdf4734a212188ee4c9
-#ENV           GOLANG_OLD_LINUX_PPC64LE_SHA512 c8a7de65d4f633ee7c058070c6ebd01c3ebcfc9119e2371d18bb775b72b1961c705579df59c69c781eba29b0bbec901080c296ea568a12b610f70c65e2109cf4
+#ENV           GOLANG_VERSION 1.16.15
+#ENV           GOLANG_LINUX_AMD64_SHA512 4b034e9ded3b2f67e271d07185e697854f4c22018f26312b9118443331b585f0576c2655de899e7c66082218bc00810ba52f7f45832103e7da9320056b4d6e47
+#ENV           GOLANG_LINUX_ARM64_SHA512 96f5a1f0897fdc5fa3e7e69ac4cc111cc5d0683f82b2338c3aec58b59e8fa882e1a6c3debff01e53cb542d068f16ab7ba626e04bde5171a5d3c1d6cc2285f5bf
+#ENV           GOLANG_LINUX_ARM_V7_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
+#ENV           GOLANG_LINUX_ARM_V6_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
+#ENV           GOLANG_LINUX_386_SHA512 d55d44df79f99a35f1544bb50c2d97bb7fc6eea894bfef68073a98d43f989cc09f6ccadac1da90f7130954d10b8533fe355fa5ee301c9110cb5225730e0c0b71
+#ENV           GOLANG_LINUX_S390X_SHA512 453e27ef9b3a84a9dd8e30e287971c338952e889c2463fcc32275c86c7bcbb569cf1fad9652c3aded2e88eaf23fcd38149592b4627adefb4e9967a0cebb05c04
+#ENV           GOLANG_LINUX_PPC64LE_SHA512 858009ec3e9800975c6a0eb144e1af256470f397b820273ab4bcfaa44d7dc32bd1ae9ba37ec3c653585bf4e5f206f07b08765bddcf09cf70197d55bdef0c1676
+
+ENV           GOLANG_VERSION 1.17.8
+ENV           GOLANG_LINUX_AMD64_SHA512 f7dd9bd8bb4ddbf6906a8538f007b099d26a51ef13ccd8a3077945585e800d60e476934316a6a2335dcc25a425e641b73f96b00323c5468aa0bb938b5b6987d7
+ENV           GOLANG_LINUX_ARM64_SHA512 58dac7340ed34ba81e675dd906c3512cf061c06cc7526fcc1724a9836452d557b3fe59da62e91cd41e9284f410f41b077f6375ffc7115393467f96067822893f
+ENV           GOLANG_LINUX_ARM_V7_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
+ENV           GOLANG_LINUX_ARM_V6_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
+ENV           GOLANG_LINUX_386_SHA512 737c4c5a4eedcfe9cc29a1e133f79b46ad0326ee6a295aeab7e7569186f3854f5873aed23ebcc1b490f4bec66aa65ccc7ebcc8b768622fd557b348cda45c0cc4
+ENV           GOLANG_LINUX_S390X_SHA512 f8923d3fbbc5cc62fd661660615bb91a8128d1bbd176a4826c3bcf50565df4f8636017a58f74f5894370b03f4a61bdcc4827f9a8c3576b832c228ddba4782867
+ENV           GOLANG_LINUX_PPC64LE_SHA512 9086ac089761e03586245183bacb3432ed7c6c9635c457c8f1a03a2cd3efeecaa7c5e952ca90a00d0e1a8fd720a0e980c79ceac1ec21ecb21aa3fe9a4b24c734
 
 ENV           FAIL_WHEN_OUTDATED=true
 

From d63148514833fefa017b0b649177369dc81d31c2 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 23 May 2022 18:51:50 -0700
Subject: [PATCH 24/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    |  2 +-
 Dockerfile.builder    |  8 ++++----
 Dockerfile.downloader | 30 ++++++++++++++++++++----------
 Dockerfile.runtime    |  4 ++--
 4 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index f277017..1d348a0 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 7c1dfd5..9df6148 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
 
 #######################
 # Actual "builder" image
@@ -66,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION 1.17.8
+ENV           GOLANG_VERSION 1.17.10
 #ENV           GOLANG_VERSION=1.16.15
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
@@ -151,7 +151,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.19.1
+ENV           NODE_VERSION=14.19.3
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -211,7 +211,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION=1.16.15
-ENV           GOLANG_VERSION 1.17.8
+ENV           GOLANG_VERSION 1.17.10
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 7d3c8a2..ca0db5d 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.19.1
+ENV           NODE_VERSION=14.19.3
 ENV           YARN_VERSION=1.22.5
 
 #ENV           GOLANG_VERSION 1.16.15
@@ -20,14 +20,24 @@ ENV           YARN_VERSION=1.22.5
 #ENV           GOLANG_LINUX_S390X_SHA512 453e27ef9b3a84a9dd8e30e287971c338952e889c2463fcc32275c86c7bcbb569cf1fad9652c3aded2e88eaf23fcd38149592b4627adefb4e9967a0cebb05c04
 #ENV           GOLANG_LINUX_PPC64LE_SHA512 858009ec3e9800975c6a0eb144e1af256470f397b820273ab4bcfaa44d7dc32bd1ae9ba37ec3c653585bf4e5f206f07b08765bddcf09cf70197d55bdef0c1676
 
-ENV           GOLANG_VERSION 1.17.8
-ENV           GOLANG_LINUX_AMD64_SHA512 f7dd9bd8bb4ddbf6906a8538f007b099d26a51ef13ccd8a3077945585e800d60e476934316a6a2335dcc25a425e641b73f96b00323c5468aa0bb938b5b6987d7
-ENV           GOLANG_LINUX_ARM64_SHA512 58dac7340ed34ba81e675dd906c3512cf061c06cc7526fcc1724a9836452d557b3fe59da62e91cd41e9284f410f41b077f6375ffc7115393467f96067822893f
-ENV           GOLANG_LINUX_ARM_V7_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
-ENV           GOLANG_LINUX_ARM_V6_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
-ENV           GOLANG_LINUX_386_SHA512 737c4c5a4eedcfe9cc29a1e133f79b46ad0326ee6a295aeab7e7569186f3854f5873aed23ebcc1b490f4bec66aa65ccc7ebcc8b768622fd557b348cda45c0cc4
-ENV           GOLANG_LINUX_S390X_SHA512 f8923d3fbbc5cc62fd661660615bb91a8128d1bbd176a4826c3bcf50565df4f8636017a58f74f5894370b03f4a61bdcc4827f9a8c3576b832c228ddba4782867
-ENV           GOLANG_LINUX_PPC64LE_SHA512 9086ac089761e03586245183bacb3432ed7c6c9635c457c8f1a03a2cd3efeecaa7c5e952ca90a00d0e1a8fd720a0e980c79ceac1ec21ecb21aa3fe9a4b24c734
+#ENV           GOLANG_VERSION 1.17.8
+#ENV           GOLANG_LINUX_AMD64_SHA512 f7dd9bd8bb4ddbf6906a8538f007b099d26a51ef13ccd8a3077945585e800d60e476934316a6a2335dcc25a425e641b73f96b00323c5468aa0bb938b5b6987d7
+#ENV           GOLANG_LINUX_ARM64_SHA512 58dac7340ed34ba81e675dd906c3512cf061c06cc7526fcc1724a9836452d557b3fe59da62e91cd41e9284f410f41b077f6375ffc7115393467f96067822893f
+#ENV           GOLANG_LINUX_ARM_V7_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
+#ENV           GOLANG_LINUX_ARM_V6_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
+#ENV           GOLANG_LINUX_386_SHA512 737c4c5a4eedcfe9cc29a1e133f79b46ad0326ee6a295aeab7e7569186f3854f5873aed23ebcc1b490f4bec66aa65ccc7ebcc8b768622fd557b348cda45c0cc4
+#ENV           GOLANG_LINUX_S390X_SHA512 f8923d3fbbc5cc62fd661660615bb91a8128d1bbd176a4826c3bcf50565df4f8636017a58f74f5894370b03f4a61bdcc4827f9a8c3576b832c228ddba4782867
+#ENV           GOLANG_LINUX_PPC64LE_SHA512 9086ac089761e03586245183bacb3432ed7c6c9635c457c8f1a03a2cd3efeecaa7c5e952ca90a00d0e1a8fd720a0e980c79ceac1ec21ecb21aa3fe9a4b24c734
+
+ENV           GOLANG_VERSION 1.17.10
+ENV           GOLANG_LINUX_AMD64_SHA512 ee317238db28f2f77589e893fceef36a938df2131b493024b28c991ce8bd918e4db04bd4aac6119599167fa7c759d4cb4feb8013c61bd9f486ea8d0aab713894
+ENV           GOLANG_LINUX_ARM64_SHA512 d51aa43bb55504cfe234676839896afaecd103deb27ca2c14138dfb94e86264316ec107d4208bbbec3443dbfbf31504394339a5b798c1f0d7bbf094560bcffbc
+ENV           GOLANG_LINUX_ARM_V7_SHA512 fa69ad58d1cb8b587feeee6140375ba972e689dcc57d1ab4643073ba575f931895e67b103a3b9acd68b2063646bf99507e749c4955b3e553c398184a2489c482
+ENV           GOLANG_LINUX_ARM_V6_SHA512 fa69ad58d1cb8b587feeee6140375ba972e689dcc57d1ab4643073ba575f931895e67b103a3b9acd68b2063646bf99507e749c4955b3e553c398184a2489c482
+ENV           GOLANG_LINUX_386_SHA512 3a2d1cc252838728aef23ad801a5da616f344290a53ed6e80814c995ca4b48766d756fed9086611b486cb910ce8bb3c3905c661c4ea51c90f9f6f6d022042634
+ENV           GOLANG_LINUX_S390X_SHA512 c735b2704ee7bf7030cdbb421c1109e85df0bc12c7881f1f2c44205a7e126d8a1aec85a418a4aadef2769ae5eb10426583c86092d974d8542f69e4b74010bef6
+ENV           GOLANG_LINUX_PPC64LE_SHA512 e9c92edf22340ea157941215dac6d9d8b8c0efa386c2580eb7b6f9891e25154a6c2ae0a2de773cc2c0c68d7c4156fbaae486cf6f9ff17194b30de095e7a137d6
+
 
 ENV           FAIL_WHEN_OUTDATED=true
 
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 0187798..2661321 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-04-01@sha256:eb89aeccb5828d0bec68d3b67f56f47c6d919ceaacff2096b81b48d49a914350
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
 
 #######################
 # Overlay

From 24fe53ec42cc583f363d3780670cf3b31e0d3796 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 25 May 2022 18:01:30 -0700
Subject: [PATCH 25/51] Bump node

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index 9df6148..c69835f 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -151,7 +151,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=14.19.3
+ENV           NODE_VERSION=16.15.0
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index ca0db5d..a511eb8 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=14.19.3
+ENV           NODE_VERSION=16.15.0
 ENV           YARN_VERSION=1.22.5
 
 #ENV           GOLANG_VERSION 1.16.15

From b5cd367ee7c62c3b6c6d63e8b72edbae102c69b1 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 8 Jun 2022 16:13:08 -0700
Subject: [PATCH 26/51] Tweak

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 hack/helpers/install-tools.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hack/helpers/install-tools.sh b/hack/helpers/install-tools.sh
index 8376c82..8be862c 100755
--- a/hack/helpers/install-tools.sh
+++ b/hack/helpers/install-tools.sh
@@ -6,7 +6,7 @@ export DATE=2021-08-01
 
 export BIN_LOCATION="${BIN_LOCATION:-$HOME/bin}"
 export PATH="$BIN_LOCATION:$PATH"
-readonly IMAGE_TOOLS="${IMAGE_TOOLS:-ghcr.io/dubo-dubon-duponey/tools:$(uname -s | grep -q Darwin && printf "macos" || printf "linux-dev")-$SUITE-$DATE}"
+readonly IMAGE_TOOLS="${IMAGE_TOOLS:-dubodubonduponey/tools:$(uname -s | grep -q Darwin && printf "macos" || printf "linux-dev")-$SUITE-$DATE}"
 
 export SHELLCHECK_VERSION=0.7.2
 export HADOLINT_VERSION=2.7.0

From b10646250ccabef99f7e641c47cfc204803bb059 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 8 Jun 2022 16:40:26 -0700
Subject: [PATCH 27/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    |  6 +++---
 Dockerfile.downloader | 19 +++++++++----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index c69835f..a9f67af 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -66,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION 1.17.10
+ENV           GOLANG_VERSION 1.17.11
 #ENV           GOLANG_VERSION=1.16.15
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
@@ -151,7 +151,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=16.15.0
+ENV           NODE_VERSION=16.15.1
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -211,7 +211,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION=1.16.15
-ENV           GOLANG_VERSION 1.17.10
+ENV           GOLANG_VERSION 1.17.11
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index a511eb8..92967f1 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=16.15.0
+ENV           NODE_VERSION=16.15.1
 ENV           YARN_VERSION=1.22.5
 
 #ENV           GOLANG_VERSION 1.16.15
@@ -29,15 +29,14 @@ ENV           YARN_VERSION=1.22.5
 #ENV           GOLANG_LINUX_S390X_SHA512 f8923d3fbbc5cc62fd661660615bb91a8128d1bbd176a4826c3bcf50565df4f8636017a58f74f5894370b03f4a61bdcc4827f9a8c3576b832c228ddba4782867
 #ENV           GOLANG_LINUX_PPC64LE_SHA512 9086ac089761e03586245183bacb3432ed7c6c9635c457c8f1a03a2cd3efeecaa7c5e952ca90a00d0e1a8fd720a0e980c79ceac1ec21ecb21aa3fe9a4b24c734
 
-ENV           GOLANG_VERSION 1.17.10
-ENV           GOLANG_LINUX_AMD64_SHA512 ee317238db28f2f77589e893fceef36a938df2131b493024b28c991ce8bd918e4db04bd4aac6119599167fa7c759d4cb4feb8013c61bd9f486ea8d0aab713894
-ENV           GOLANG_LINUX_ARM64_SHA512 d51aa43bb55504cfe234676839896afaecd103deb27ca2c14138dfb94e86264316ec107d4208bbbec3443dbfbf31504394339a5b798c1f0d7bbf094560bcffbc
-ENV           GOLANG_LINUX_ARM_V7_SHA512 fa69ad58d1cb8b587feeee6140375ba972e689dcc57d1ab4643073ba575f931895e67b103a3b9acd68b2063646bf99507e749c4955b3e553c398184a2489c482
-ENV           GOLANG_LINUX_ARM_V6_SHA512 fa69ad58d1cb8b587feeee6140375ba972e689dcc57d1ab4643073ba575f931895e67b103a3b9acd68b2063646bf99507e749c4955b3e553c398184a2489c482
-ENV           GOLANG_LINUX_386_SHA512 3a2d1cc252838728aef23ad801a5da616f344290a53ed6e80814c995ca4b48766d756fed9086611b486cb910ce8bb3c3905c661c4ea51c90f9f6f6d022042634
-ENV           GOLANG_LINUX_S390X_SHA512 c735b2704ee7bf7030cdbb421c1109e85df0bc12c7881f1f2c44205a7e126d8a1aec85a418a4aadef2769ae5eb10426583c86092d974d8542f69e4b74010bef6
-ENV           GOLANG_LINUX_PPC64LE_SHA512 e9c92edf22340ea157941215dac6d9d8b8c0efa386c2580eb7b6f9891e25154a6c2ae0a2de773cc2c0c68d7c4156fbaae486cf6f9ff17194b30de095e7a137d6
-
+ENV           GOLANG_VERSION 1.17.11
+ENV           GOLANG_LINUX_AMD64_SHA512 f25e730abc94364ae36c5d5834125cec1cea77c0c8a65ec23acf6f2c3f0a8e908547530202f818d13b74f21a037206fed546826838ffdebc5d1a10cb3a182e44
+ENV           GOLANG_LINUX_ARM64_SHA512 bef59fc7fccc7570ab8222af41af852354b7b926f41f48377c3bcd891dd4fc312ca82d4b2c8fe9b669b37d5cb385dbdaf58a92af3b89991e825dc6cafc793d03
+ENV           GOLANG_LINUX_ARM_V7_SHA512 2812c3d6596709cb99c5da809c19b51c2601901fb70e48486e9ae1d201eb03878b36aa575849641e4b91addbcbf843ca27ccab150031a9c82c35681291c69859
+ENV           GOLANG_LINUX_ARM_V6_SHA512 2812c3d6596709cb99c5da809c19b51c2601901fb70e48486e9ae1d201eb03878b36aa575849641e4b91addbcbf843ca27ccab150031a9c82c35681291c69859
+ENV           GOLANG_LINUX_386_SHA512 ab42e96650b33bf9612230b3a145873a2536bd54a6c0d8ec990b543c7abe6b3d96a232b398c752437e0fa6b4952a4f74b2106ae8f774b3b02f2266fcd34231bf
+ENV           GOLANG_LINUX_S390X_SHA512 642ac391a119fbfa0133c93825f3e2bf6fe57d562f9d77557d5dec2749e7474bdb41e5688957a3a6b83dd67866ccbfa4c90874aba7d6c35623f49570a6756127
+ENV           GOLANG_LINUX_PPC64LE_SHA512 7125f3be057109b9be52ae3b417004a72183385b03818194d17ea4e2f3522df2d12f56bb9fa2593eccf724b65dac34b5c4ac08d235699b3e407178aaf7247a07
 
 ENV           FAIL_WHEN_OUTDATED=true
 

From 06bafc49321348da5170cdf101f53c233b42f2bc Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 8 Jun 2022 23:14:31 -0700
Subject: [PATCH 28/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor                                    | 2 +-
 Dockerfile.builder                                    | 2 +-
 Dockerfile.downloader                                 | 2 +-
 Dockerfile.runtime                                    | 4 ++--
 cue.mod/pkg/duponey.cloud/buildkit/types/platform.cue | 4 +++-
 5 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 1d348a0..ab022ad 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index a9f67af..26d3c3f 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 92967f1..7f623bd 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 2661321..1a48bbc 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-05-01@sha256:4da4df1c0a69fd1faf929df7c7956415803524831d3e770a969d475d496d78bc
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
 
 #######################
 # Overlay
diff --git a/cue.mod/pkg/duponey.cloud/buildkit/types/platform.cue b/cue.mod/pkg/duponey.cloud/buildkit/types/platform.cue
index 579ccf1..1d4d2dd 100644
--- a/cue.mod/pkg/duponey.cloud/buildkit/types/platform.cue
+++ b/cue.mod/pkg/duponey.cloud/buildkit/types/platform.cue
@@ -6,7 +6,7 @@ import (
 
 #Platforms: {
 	// XXX for whatever reason, this HAS TO BE DONE THIS WAY and not as below
-	[...=~ "^(?:\(#AMD64)|\(#ARM64)|\(#V7)|\(#V6)|\(#PPC64LE)|\(#S390X)|\(#I386)|\(#RISCV64))$"] // | *[]
+	[...=~ "^(?:\(#AMD64)|\(#ARM64)|\(#V7)|\(#V6)|\(#V5)|\(#PPC64LE)|\(#MIPS64LE)|\(#S390X)|\(#I386)|\(#RISCV64))$"] // | *[]
 	// XXX might not work - other circumstances have demonstrated this is broken as fuck
   // [...#AMD64 | #ARM64 | #V7 | #V6 | #PPC64LE | #S390X | #I386 | #RISCV64] | *[]
 
@@ -14,7 +14,9 @@ import (
   #ARM64: "linux/arm64"
   #V7: "linux/arm/v7"
   #V6: "linux/arm/v6"
+  #V5: "linux/arm/v5"
   #PPC64LE: "linux/ppc64le"
+  #MIPS64LE: "linux/mips64le"
   #S390X: "linux/s390x"
   #I386: "linux/386"
 	#RISCV64: "linux/riscv64"

From e8a8c806049e8046efb341f7f0da12ea9a95abbb Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 20 Aug 2022 18:31:58 -0700
Subject: [PATCH 29/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 .github/workflows/CI.yml                      |  2 +-
 Dockerfile.auditor                            |  4 +--
 Dockerfile.builder                            | 10 +++----
 Dockerfile.downloader                         | 26 +++++++++----------
 Dockerfile.runtime                            |  8 +++---
 README.md                                     | 12 ++++-----
 .../buildkit/buildctl/buildctl.cue            |  1 +
 hack/helpers/start-buildkit.sh                |  2 +-
 hack/test.sh                                  |  4 +--
 9 files changed, 35 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index ee67e27..acebbe5 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -47,7 +47,7 @@ jobs:
             --env ADDITIONAL_DOMAINS=*.debian.org \
             --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
             --volume "$GITHUB_WORKSPACE/cache/apt":/data \
-            ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
+            index.docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
 
       - name: test
         run: |
diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index ab022ad..b7b9d7c 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
+ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-08-01
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 26d3c3f..e0a637b 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
+ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-08-01
 
 #######################
 # Actual "builder" image
@@ -66,7 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION 1.17.11
+ENV           GOLANG_VERSION 1.17.13
 #ENV           GOLANG_VERSION=1.16.15
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
@@ -151,7 +151,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=16.15.1
+ENV           NODE_VERSION=16.17.0
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -211,7 +211,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION=1.16.15
-ENV           GOLANG_VERSION 1.17.11
+ENV           GOLANG_VERSION 1.17.13
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 7f623bd..2c75eba 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
+ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-08-01
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=16.15.1
+ENV           NODE_VERSION=16.17.0
 ENV           YARN_VERSION=1.22.5
 
 #ENV           GOLANG_VERSION 1.16.15
@@ -29,14 +29,14 @@ ENV           YARN_VERSION=1.22.5
 #ENV           GOLANG_LINUX_S390X_SHA512 f8923d3fbbc5cc62fd661660615bb91a8128d1bbd176a4826c3bcf50565df4f8636017a58f74f5894370b03f4a61bdcc4827f9a8c3576b832c228ddba4782867
 #ENV           GOLANG_LINUX_PPC64LE_SHA512 9086ac089761e03586245183bacb3432ed7c6c9635c457c8f1a03a2cd3efeecaa7c5e952ca90a00d0e1a8fd720a0e980c79ceac1ec21ecb21aa3fe9a4b24c734
 
-ENV           GOLANG_VERSION 1.17.11
-ENV           GOLANG_LINUX_AMD64_SHA512 f25e730abc94364ae36c5d5834125cec1cea77c0c8a65ec23acf6f2c3f0a8e908547530202f818d13b74f21a037206fed546826838ffdebc5d1a10cb3a182e44
-ENV           GOLANG_LINUX_ARM64_SHA512 bef59fc7fccc7570ab8222af41af852354b7b926f41f48377c3bcd891dd4fc312ca82d4b2c8fe9b669b37d5cb385dbdaf58a92af3b89991e825dc6cafc793d03
-ENV           GOLANG_LINUX_ARM_V7_SHA512 2812c3d6596709cb99c5da809c19b51c2601901fb70e48486e9ae1d201eb03878b36aa575849641e4b91addbcbf843ca27ccab150031a9c82c35681291c69859
-ENV           GOLANG_LINUX_ARM_V6_SHA512 2812c3d6596709cb99c5da809c19b51c2601901fb70e48486e9ae1d201eb03878b36aa575849641e4b91addbcbf843ca27ccab150031a9c82c35681291c69859
-ENV           GOLANG_LINUX_386_SHA512 ab42e96650b33bf9612230b3a145873a2536bd54a6c0d8ec990b543c7abe6b3d96a232b398c752437e0fa6b4952a4f74b2106ae8f774b3b02f2266fcd34231bf
-ENV           GOLANG_LINUX_S390X_SHA512 642ac391a119fbfa0133c93825f3e2bf6fe57d562f9d77557d5dec2749e7474bdb41e5688957a3a6b83dd67866ccbfa4c90874aba7d6c35623f49570a6756127
-ENV           GOLANG_LINUX_PPC64LE_SHA512 7125f3be057109b9be52ae3b417004a72183385b03818194d17ea4e2f3522df2d12f56bb9fa2593eccf724b65dac34b5c4ac08d235699b3e407178aaf7247a07
+ENV           GOLANG_VERSION 1.17.13
+ENV           GOLANG_LINUX_AMD64_SHA512 672ce66bd7f1400b66d367f1026f3d7062201a8d686b4c1813ccade597ebbe89f9bd98130badd1d7bc6f2cf4020d63a4e71323b44a96fad842d5766ca92aa822
+ENV           GOLANG_LINUX_ARM64_SHA512 8f70e89f7dbffe0d4892460a7508b8acd5830999150732388bf69a49e2120cadabe3b4ce641cfe805d4bf871d6e374ad2398fb029f55361607e0eba1c7ea62a4
+ENV           GOLANG_LINUX_ARM_V7_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
+ENV           GOLANG_LINUX_ARM_V6_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
+ENV           GOLANG_LINUX_386_SHA512 0449a2b27d75d654fd214776ae3025d098f55d93a7b0ce07325864f1637d7ae4c8eca782578b6edbd05536e031339ee2bb466f82cbe5d29506033ea9f1aed167
+ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
+ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
 
 ENV           FAIL_WHEN_OUTDATED=true
 
@@ -52,8 +52,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               apt-cache show curl gnupg dirmngr ca-certificates; \
               apt-get install -qq --no-install-recommends \
                 curl=7.74.0-1.3+deb11u1 \
-                gnupg=2.2.27-2+deb11u1 \
-                dirmngr=2.2.27-2+deb11u1 \
+                gnupg=2.2.27-2+deb11u2 \
+                dirmngr=2.2.27-2+deb11u2 \
                 ca-certificates=20210119
 
 COPY          ./scripts /scripts
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 1a48bbc..78f1b22 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-06-01@sha256:0f4f51555f4c320809bf842095d703c0c9918127eb33a5cc1a34ebea304bb4d6
+ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-08-01
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-08-01
 
 #######################
 # Overlay
@@ -60,7 +60,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq && \
-              apt-get install -qq --no-install-recommends bash-static=5.1-2+b3 && \
+              apt-get install -qq --no-install-recommends bash-static=5.1-2+deb11u1 && \
               mkdir -p /boot/bin && \
               cp /bin/bash-static /boot/bin/bash && \
               apt-get -qq purge bash-static && \
diff --git a/README.md b/README.md
index 8eb6737..3e1df61 100644
--- a/README.md
+++ b/README.md
@@ -4,21 +4,21 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
-* `ghcr.io/dubo-dubon-duponey/base:runtime-latest` and `ghcr.io/dubo-dubon-duponey/base:runtime-$SUITE-$DATE`
+* `index.docker.io/dubodubonduponey/base:runtime-latest` and `index.docker.io/dubodubonduponey/base:runtime-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
-* `ghcr.io/dubo-dubon-duponey/base:builder-latest` and `ghcr.io/dubo-dubon-duponey/base:builder-$SUITE-$DATE`
+* `index.docker.io/dubodubonduponey/base:builder-latest` and `index.docker.io/dubodubonduponey/base:builder-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
   * golang, python, and essential cross compilation dev & build tools
-* `ghcr.io/dubo-dubon-duponey/base:node-latest` and `ghcr.io/dubo-dubon-duponey/base:node-$SUITE-$DATE`
+* `index.docker.io/dubodubonduponey/base:node-latest` and `index.docker.io/dubodubonduponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
-* `ghcr.io/dubo-dubon-duponey/base:golang-latest` and `ghcr.io/dubo-dubon-duponey/base:golang-$SUITE-$DATE`
+* `index.docker.io/dubodubonduponey/base:golang-latest` and `index.docker.io/dubodubonduponey/base:golang-$SUITE-$DATE`
   * just golang and git
-* `ghcr.io/dubo-dubon-duponey/base:auditor-latest` and `ghcr.io/dubo-dubon-duponey/base:auditor-$SUITE-$DATE`
+* `index.docker.io/dubodubonduponey/base:auditor-latest` and `index.docker.io/dubodubonduponey/base:auditor-$SUITE-$DATE`
   * test and security hardening tools
 
 ## TL;DR
@@ -44,7 +44,7 @@ export BUILDKIT_HOST=$(./hack/helpers/start-buildkit.sh 2>/dev/null)
 ./hack/build.sh auditor
 ```
 
-Note that the above will by default try to push to `ghcr.io/dubo-dubon-duponey/base`.
+Note that the above will by default try to push to `index.docker.io/dubodubonduponey/base`.
 Edit `recipe.cue`, or better, use an `env.cue` file (see [advanced](ADVANCED.md) for that) to control
 the push destination.
 
diff --git a/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue b/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue
index 2cb902b..7a74ef0 100644
--- a/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue
+++ b/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue
@@ -72,6 +72,7 @@ import (
 
 		["--local", "dockerfile=\(dockerfile)"] +
 		["--frontend", frontend] +
+		["--trace", "buildctl.trace.json"] +
 		["--opt", "filename=\(filename)"] +
 
 		["--local", "context=\(context)"] +
diff --git a/hack/helpers/start-buildkit.sh b/hack/helpers/start-buildkit.sh
index fc75009..3e07744 100755
--- a/hack/helpers/start-buildkit.sh
+++ b/hack/helpers/start-buildkit.sh
@@ -4,7 +4,7 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 export SUITE=bullseye
 export DATE=2021-08-01
 
-readonly IMAGE_BLDKT="${IMAGE_BLDKT:-ghcr.io/dubo-dubon-duponey/buildkit:$SUITE-$DATE}"
+readonly IMAGE_BLDKT="${IMAGE_BLDKT:-index.docker.io/dubodubonduponey/buildkit:$SUITE-$DATE}"
 
 setup::buildkit() {
   [ "$(docker container inspect -f '{{.State.Running}}' dbdbdp-buildkit 2>/dev/null)" == "true" ]  || {
diff --git a/hack/test.sh b/hack/test.sh
index 8811ce7..7bb781c 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -7,7 +7,7 @@ readonly root
 
 # XXX right now this is not testing much but the runtime image building
 if ! "$root/hack/build.sh" \
-    --inject registry="ghcr.io/dubo-dubon-duponey" \
+    --inject registry="index.docker.io/dubodubonduponey" \
     --inject progress=plain \
 	  --inject date=2021-11-01 \
 	  --inject suite=bullseye \
@@ -18,7 +18,7 @@ if ! "$root/hack/build.sh" \
 fi
 
 if ! "$root/hack/build.sh" \
-    --inject registry="ghcr.io/dubo-dubon-duponey" \
+    --inject registry="index.docker.io/dubodubonduponey" \
     --inject progress=plain \
 	  --inject date=2021-11-01 \
 	  --inject suite=bullseye \

From c797ab0d870b73494d2437c3785ae7321ccb2c99 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 12 Sep 2022 16:30:50 -0700
Subject: [PATCH 30/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 .github/workflows/CI.yml       |  9 ++++-----
 Dockerfile.auditor             |  4 ++--
 Dockerfile.builder             |  4 ++--
 Dockerfile.downloader          |  4 ++--
 Dockerfile.runtime             |  6 +++---
 README.md                      | 12 ++++++------
 hack/helpers/start-buildkit.sh |  2 +-
 hack/lint.sh                   |  2 +-
 hack/test.sh                   |  4 ++--
 9 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index acebbe5..31f466c 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -5,7 +5,7 @@ on: [push, pull_request]
 jobs:
   test:
     # The type of runner that the job will run on
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -31,8 +31,6 @@ jobs:
 
       - name: Start apt proxy
         run: |
-          # Hiding the read-only token base64 to avoid github disabling it...
-          echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
           docker run --rm -d --expose 443 --expose 80 --pull always \
             --name apt-front \
             --read-only \
@@ -47,12 +45,13 @@ jobs:
             --env ADDITIONAL_DOMAINS=*.debian.org \
             --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
             --volume "$GITHUB_WORKSPACE/cache/apt":/data \
-            index.docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
+            docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
 
       - name: test
         run: |
           # Set the path and install the tools
-          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          export PATH="$GITHUB_WORKSPACE/cache/bin:$PATH"
+          ./hack/helpers/install-tools.sh
           # Start buildkit
           bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
           # Sanity check
diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index b7b9d7c..aeb2f72 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-08-01
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-09-01
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index e0a637b..f87d37d 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-08-01
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-09-01
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 2c75eba..6a99076 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
-ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-08-01
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-09-01
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 78f1b22..603e611 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
-ARG           FROM_REGISTRY=index.docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-08-01
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-08-01
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-09-01
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-09-01
 
 #######################
 # Overlay
diff --git a/README.md b/README.md
index 3e1df61..518732a 100644
--- a/README.md
+++ b/README.md
@@ -4,21 +4,21 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
-* `index.docker.io/dubodubonduponey/base:runtime-latest` and `index.docker.io/dubodubonduponey/base:runtime-$SUITE-$DATE`
+* `docker.io/dubodubonduponey/base:runtime-latest` and `docker.io/dubodubonduponey/base:runtime-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
-* `index.docker.io/dubodubonduponey/base:builder-latest` and `index.docker.io/dubodubonduponey/base:builder-$SUITE-$DATE`
+* `docker.io/dubodubonduponey/base:builder-latest` and `docker.io/dubodubonduponey/base:builder-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
   * golang, python, and essential cross compilation dev & build tools
-* `index.docker.io/dubodubonduponey/base:node-latest` and `index.docker.io/dubodubonduponey/base:node-$SUITE-$DATE`
+* `docker.io/dubodubonduponey/base:node-latest` and `docker.io/dubodubonduponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
-* `index.docker.io/dubodubonduponey/base:golang-latest` and `index.docker.io/dubodubonduponey/base:golang-$SUITE-$DATE`
+* `docker.io/dubodubonduponey/base:golang-latest` and `docker.io/dubodubonduponey/base:golang-$SUITE-$DATE`
   * just golang and git
-* `index.docker.io/dubodubonduponey/base:auditor-latest` and `index.docker.io/dubodubonduponey/base:auditor-$SUITE-$DATE`
+* `docker.io/dubodubonduponey/base:auditor-latest` and `docker.io/dubodubonduponey/base:auditor-$SUITE-$DATE`
   * test and security hardening tools
 
 ## TL;DR
@@ -44,7 +44,7 @@ export BUILDKIT_HOST=$(./hack/helpers/start-buildkit.sh 2>/dev/null)
 ./hack/build.sh auditor
 ```
 
-Note that the above will by default try to push to `index.docker.io/dubodubonduponey/base`.
+Note that the above will by default try to push to `docker.io/dubodubonduponey/base`.
 Edit `recipe.cue`, or better, use an `env.cue` file (see [advanced](ADVANCED.md) for that) to control
 the push destination.
 
diff --git a/hack/helpers/start-buildkit.sh b/hack/helpers/start-buildkit.sh
index 3e07744..80702fa 100755
--- a/hack/helpers/start-buildkit.sh
+++ b/hack/helpers/start-buildkit.sh
@@ -4,7 +4,7 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 export SUITE=bullseye
 export DATE=2021-08-01
 
-readonly IMAGE_BLDKT="${IMAGE_BLDKT:-index.docker.io/dubodubonduponey/buildkit:$SUITE-$DATE}"
+readonly IMAGE_BLDKT="${IMAGE_BLDKT:-docker.io/dubodubonduponey/buildkit:$SUITE-$DATE}"
 
 setup::buildkit() {
   [ "$(docker container inspect -f '{{.State.Running}}' dbdbdp-buildkit 2>/dev/null)" == "true" ]  || {
diff --git a/hack/lint.sh b/hack/lint.sh
index 0334f25..e39dd2d 100755
--- a/hack/lint.sh
+++ b/hack/lint.sh
@@ -24,4 +24,4 @@ if ! hadolint "${hadolint_ignore[@]}" "$root"/*Dockerfile*; then
   exit 1
 fi
 
-find "$root" -iname "*.sh" -not -path "*debuerreotype*" -exec shellcheck {} \;
+find "$root" -iname "*.sh" -not -path "*debuerreotype*" -not -path "*cache*" -exec shellcheck {} \;
diff --git a/hack/test.sh b/hack/test.sh
index 7bb781c..584edaf 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -7,7 +7,7 @@ readonly root
 
 # XXX right now this is not testing much but the runtime image building
 if ! "$root/hack/build.sh" \
-    --inject registry="index.docker.io/dubodubonduponey" \
+    --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
 	  --inject date=2021-11-01 \
 	  --inject suite=bullseye \
@@ -18,7 +18,7 @@ if ! "$root/hack/build.sh" \
 fi
 
 if ! "$root/hack/build.sh" \
-    --inject registry="index.docker.io/dubodubonduponey" \
+    --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
 	  --inject date=2021-11-01 \
 	  --inject suite=bullseye \

From 594902c06296f78cbadb601a88527cecf91fb464 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 12 Sep 2022 16:59:14 -0700
Subject: [PATCH 31/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder | 6 +++---
 hack/test.sh       | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index f87d37d..fd8eb47 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -35,18 +35,18 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
-              apt-get install -qq --no-install-recommends \
+              apt-get install -y --no-install-recommends \
                 build-essential=12.9 \
                 autoconf=2.69-14 \
                 automake=1:1.16.3-2 \
                 libtool=2.4.6-15 \
 		            pkg-config=0.29.2-1 \
                 jq=1.6-2.1 \
-                curl=7.74.0-1.3+deb11u1 \
+                curl=7.74.0-1.3+deb11u2 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
-                apt-get install -qq --no-install-recommends \
+                apt-get install -y --no-install-recommends \
                   crossbuild-essential-"$architecture"=12.9 \
                   musl-dev:"$architecture"=1.2.2-1 \
                   musl:"$architecture"=1.2.2-1 \
diff --git a/hack/test.sh b/hack/test.sh
index 584edaf..00ed4ac 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2021-11-01 \
+	  --inject date=2022-09-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2021-11-01 \
+	  --inject date=2022-09-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From 9b2f1e9b55ba3ce92da41546bf23b5fa893c5be6 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 12 Sep 2022 18:39:34 -0700
Subject: [PATCH 32/51] Bump curl

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.downloader | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 6a99076..bf12b69 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -49,9 +49,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
-              apt-cache show curl gnupg dirmngr ca-certificates; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+deb11u1 \
+                curl=7.74.0-1.3+deb11u2 \
                 gnupg=2.2.27-2+deb11u2 \
                 dirmngr=2.2.27-2+deb11u2 \
                 ca-certificates=20210119

From 0bc1fd3a574f36f4abb04497abbf96043a1ae705 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 13 Sep 2022 13:38:10 -0700
Subject: [PATCH 33/51] Bump go

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    |  8 +++----
 Dockerfile.downloader | 49 ++++++++++++++++++++-----------------------
 2 files changed, 27 insertions(+), 30 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index fd8eb47..5474c4d 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -66,8 +66,8 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-ENV           GOLANG_VERSION 1.17.13
-#ENV           GOLANG_VERSION=1.16.15
+#ENV           GOLANG_VERSION 1.17.13
+ENV           GOLANG_VERSION=1.18.6
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -210,8 +210,8 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-#ENV           GOLANG_VERSION=1.16.15
-ENV           GOLANG_VERSION 1.17.13
+#ENV           GOLANG_VERSION 1.17.13
+ENV           GOLANG_VERSION=1.18.6
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index bf12b69..5e93751 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -11,32 +11,29 @@ ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 ENV           NODE_VERSION=16.17.0
 ENV           YARN_VERSION=1.22.5
 
-#ENV           GOLANG_VERSION 1.16.15
-#ENV           GOLANG_LINUX_AMD64_SHA512 4b034e9ded3b2f67e271d07185e697854f4c22018f26312b9118443331b585f0576c2655de899e7c66082218bc00810ba52f7f45832103e7da9320056b4d6e47
-#ENV           GOLANG_LINUX_ARM64_SHA512 96f5a1f0897fdc5fa3e7e69ac4cc111cc5d0683f82b2338c3aec58b59e8fa882e1a6c3debff01e53cb542d068f16ab7ba626e04bde5171a5d3c1d6cc2285f5bf
-#ENV           GOLANG_LINUX_ARM_V7_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
-#ENV           GOLANG_LINUX_ARM_V6_SHA512 326f4763e4fc8c5237c181d4d7a2f505a7526adc7f5ffdde6e11774ec297a60d8a92e7f726365b3b8d5b9b1fb6cca6a693c310a806e6327da719ea037b464eed
-#ENV           GOLANG_LINUX_386_SHA512 d55d44df79f99a35f1544bb50c2d97bb7fc6eea894bfef68073a98d43f989cc09f6ccadac1da90f7130954d10b8533fe355fa5ee301c9110cb5225730e0c0b71
-#ENV           GOLANG_LINUX_S390X_SHA512 453e27ef9b3a84a9dd8e30e287971c338952e889c2463fcc32275c86c7bcbb569cf1fad9652c3aded2e88eaf23fcd38149592b4627adefb4e9967a0cebb05c04
-#ENV           GOLANG_LINUX_PPC64LE_SHA512 858009ec3e9800975c6a0eb144e1af256470f397b820273ab4bcfaa44d7dc32bd1ae9ba37ec3c653585bf4e5f206f07b08765bddcf09cf70197d55bdef0c1676
-
-#ENV           GOLANG_VERSION 1.17.8
-#ENV           GOLANG_LINUX_AMD64_SHA512 f7dd9bd8bb4ddbf6906a8538f007b099d26a51ef13ccd8a3077945585e800d60e476934316a6a2335dcc25a425e641b73f96b00323c5468aa0bb938b5b6987d7
-#ENV           GOLANG_LINUX_ARM64_SHA512 58dac7340ed34ba81e675dd906c3512cf061c06cc7526fcc1724a9836452d557b3fe59da62e91cd41e9284f410f41b077f6375ffc7115393467f96067822893f
-#ENV           GOLANG_LINUX_ARM_V7_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
-#ENV           GOLANG_LINUX_ARM_V6_SHA512 778e618ad571436205d0855fddd8d21a59402af5ea60ed6b44be652d0cdde7e51fa89053dfb83cdc7c34de046f6728813da428fea5970a9a62efbe6a00b820c0
-#ENV           GOLANG_LINUX_386_SHA512 737c4c5a4eedcfe9cc29a1e133f79b46ad0326ee6a295aeab7e7569186f3854f5873aed23ebcc1b490f4bec66aa65ccc7ebcc8b768622fd557b348cda45c0cc4
-#ENV           GOLANG_LINUX_S390X_SHA512 f8923d3fbbc5cc62fd661660615bb91a8128d1bbd176a4826c3bcf50565df4f8636017a58f74f5894370b03f4a61bdcc4827f9a8c3576b832c228ddba4782867
-#ENV           GOLANG_LINUX_PPC64LE_SHA512 9086ac089761e03586245183bacb3432ed7c6c9635c457c8f1a03a2cd3efeecaa7c5e952ca90a00d0e1a8fd720a0e980c79ceac1ec21ecb21aa3fe9a4b24c734
-
-ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_LINUX_AMD64_SHA512 672ce66bd7f1400b66d367f1026f3d7062201a8d686b4c1813ccade597ebbe89f9bd98130badd1d7bc6f2cf4020d63a4e71323b44a96fad842d5766ca92aa822
-ENV           GOLANG_LINUX_ARM64_SHA512 8f70e89f7dbffe0d4892460a7508b8acd5830999150732388bf69a49e2120cadabe3b4ce641cfe805d4bf871d6e374ad2398fb029f55361607e0eba1c7ea62a4
-ENV           GOLANG_LINUX_ARM_V7_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
-ENV           GOLANG_LINUX_ARM_V6_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
-ENV           GOLANG_LINUX_386_SHA512 0449a2b27d75d654fd214776ae3025d098f55d93a7b0ce07325864f1637d7ae4c8eca782578b6edbd05536e031339ee2bb466f82cbe5d29506033ea9f1aed167
-ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
-ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
+#ENV           GOLANG_VERSION 1.17.13
+#ENV           GOLANG_LINUX_AMD64_SHA512 672ce66bd7f1400b66d367f1026f3d7062201a8d686b4c1813ccade597ebbe89f9bd98130badd1d7bc6f2cf4020d63a4e71323b44a96fad842d5766ca92aa822
+#ENV           GOLANG_LINUX_ARM64_SHA512 8f70e89f7dbffe0d4892460a7508b8acd5830999150732388bf69a49e2120cadabe3b4ce641cfe805d4bf871d6e374ad2398fb029f55361607e0eba1c7ea62a4
+#ENV           GOLANG_LINUX_ARM_V7_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
+#ENV           GOLANG_LINUX_ARM_V6_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
+#ENV           GOLANG_LINUX_386_SHA512 0449a2b27d75d654fd214776ae3025d098f55d93a7b0ce07325864f1637d7ae4c8eca782578b6edbd05536e031339ee2bb466f82cbe5d29506033ea9f1aed167
+#ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
+#ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
+
+ENV           GOLANG_VERSION 1.18.6
+ENV           GOLANG_LINUX_AMD64_SHA512 d71abdf8a3639207185b373697888ec5a95b282ac798ce1a112ac6edcd41c3f331609560b6915336b316018b22e8fff4df1a3cb12d075bbc5492c869013f7f59
+ENV           GOLANG_LINUX_ARM64_SHA512 b2a27866697af6639db730fa1784510df31461daddac70197aa28964bc5babd5c9c70306e76b5a578aa742fa128bd985cf3b6d929aded12774474d109973fa07
+ENV           GOLANG_LINUX_ARM_V7_SHA512 9506cba86c48f6b35cc2db25343df99a24324e58dd96cbcd4115f72d5fbfe44e888722d8d7fd2f4ba5750227ccf70a9c8afdc14ed9030efefbec1dfd45897d88
+ENV           GOLANG_LINUX_ARM_V6_SHA512 9506cba86c48f6b35cc2db25343df99a24324e58dd96cbcd4115f72d5fbfe44e888722d8d7fd2f4ba5750227ccf70a9c8afdc14ed9030efefbec1dfd45897d88
+ENV           GOLANG_LINUX_386_SHA512 8e494196d9530a8244d452d012b51b511c5c142b41a4d0bbcbf5350cb0cfe008b3d7ac1a4374fb56888fe5531d1868870be2aa10646062c5c0c4b8ae2b24f314
+ENV           GOLANG_LINUX_S390X_SHA512 9bfbe53e97ee2df417d3056a98ea0a6b7604ca53fe0119351580533a826e1f913d4cfb2926ee7c6b66c4fba9cb1bb13b3b8ad75b40585975e42e334405f6bea4
+ENV           GOLANG_LINUX_PPC64LE_SHA512 39669a0d878020e94452ae8dab43be679833416cdf83618030897cf06cfeb3e23123a02419ea1d47e019c0ffb285a888adf404332d9026946fc5d5322af7e445
+
+#14 3.760 ENV           GOLANG_VERSION 1.19.1
+#14 5.791 ENV           GOLANG_LINUX_AMD64_SHA512 a69153393a2eaf1c2b77f5a4bafe6a2fb36368c6856d79bd697472af71d925fc62c58e6b8fe75adf143b0462da2ed9e68d0fcd0328cde091be70d745b92814aa
+#14 7.555 ENV           GOLANG_LINUX_ARM64_SHA512 c7ad05c39e2890b57a6ba05521347c58fa5fd325d8f1aa3058da4ccf0ea7e9ea910fddae1789f24f48b39188ce8ff025d31778c79c977040785c6a641dde8ee3
+#14 9.211 ENV           GOLANG_LINUX_ARM_V7_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
+#14 10.77 ENV           GOLANG_LINUX_ARM_V6_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
 
 ENV           FAIL_WHEN_OUTDATED=true
 

From 5119155ef19e98abf2700aafcd51f6c3466fbf6a Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 13 Sep 2022 15:52:44 -0700
Subject: [PATCH 34/51] Curl bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor | 4 ++--
 Dockerfile.builder | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index aeb2f72..fd191cb 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -16,8 +16,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
-              apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+deb11u1 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12 patchelf=0.12-1 \
+              apt-get install -y --no-install-recommends \
+                curl=7.74.0-1.3+deb11u2 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12+deb11u1 patchelf=0.12-1 \
                 procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
                 dnsutils=1:9.16.27-1~deb11u1 iputils-ping=3:20210202-1 \
                 lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 5474c4d..8c43744 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -251,7 +251,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+deb11u1 \
+                curl=7.74.0-1.3+deb11u2 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
               apt-get -qq autoremove; \

From 0084156b926fd2dbac7add3a1ba43a9597e181be Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Thu, 22 Dec 2022 18:03:17 -0800
Subject: [PATCH 35/51] December up

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor    |  4 ++--
 Dockerfile.builder    | 12 ++++++------
 Dockerfile.downloader | 24 ++++++++++++------------
 Dockerfile.runtime    |  4 ++--
 hack/test.sh          |  4 ++--
 5 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index fd191cb..a585a98 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-09-01
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-12-01
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -23,7 +23,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 apt-get install -qq --no-install-recommends \
-                  libc6:"$architecture"=2.31-13+deb11u3; \
+                  libc6:"$architecture"=2.31-13+deb11u4; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 8c43744..a8a414e 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-09-01
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-12-01
 
 #######################
 # Actual "builder" image
@@ -50,8 +50,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
                   crossbuild-essential-"$architecture"=12.9 \
                   musl-dev:"$architecture"=1.2.2-1 \
                   musl:"$architecture"=1.2.2-1 \
-                  libc6:"$architecture"=2.31-13+deb11u3 \
-                  libc6-dev:"$architecture"=2.31-13+deb11u3; \
+                  libc6:"$architecture"=2.31-13+deb11u4 \
+                  libc6-dev:"$architecture"=2.31-13+deb11u4; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
@@ -67,7 +67,7 @@ RUN           git config --global advice.detachedHead false
 # ADD           ./cache/overlay.tar /
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.18.6
+ENV           GOLANG_VERSION=1.18.9
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -151,7 +151,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=16.17.0
+ENV           NODE_VERSION=16.19.0
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -211,7 +211,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.18.6
+ENV           GOLANG_VERSION=1.18.9
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 5e93751..624c36f 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-09-01
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-12-01
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=16.17.0
+ENV           NODE_VERSION=16.19.0
 ENV           YARN_VERSION=1.22.5
 
 #ENV           GOLANG_VERSION 1.17.13
@@ -20,14 +20,14 @@ ENV           YARN_VERSION=1.22.5
 #ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
 #ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
 
-ENV           GOLANG_VERSION 1.18.6
-ENV           GOLANG_LINUX_AMD64_SHA512 d71abdf8a3639207185b373697888ec5a95b282ac798ce1a112ac6edcd41c3f331609560b6915336b316018b22e8fff4df1a3cb12d075bbc5492c869013f7f59
-ENV           GOLANG_LINUX_ARM64_SHA512 b2a27866697af6639db730fa1784510df31461daddac70197aa28964bc5babd5c9c70306e76b5a578aa742fa128bd985cf3b6d929aded12774474d109973fa07
-ENV           GOLANG_LINUX_ARM_V7_SHA512 9506cba86c48f6b35cc2db25343df99a24324e58dd96cbcd4115f72d5fbfe44e888722d8d7fd2f4ba5750227ccf70a9c8afdc14ed9030efefbec1dfd45897d88
-ENV           GOLANG_LINUX_ARM_V6_SHA512 9506cba86c48f6b35cc2db25343df99a24324e58dd96cbcd4115f72d5fbfe44e888722d8d7fd2f4ba5750227ccf70a9c8afdc14ed9030efefbec1dfd45897d88
-ENV           GOLANG_LINUX_386_SHA512 8e494196d9530a8244d452d012b51b511c5c142b41a4d0bbcbf5350cb0cfe008b3d7ac1a4374fb56888fe5531d1868870be2aa10646062c5c0c4b8ae2b24f314
-ENV           GOLANG_LINUX_S390X_SHA512 9bfbe53e97ee2df417d3056a98ea0a6b7604ca53fe0119351580533a826e1f913d4cfb2926ee7c6b66c4fba9cb1bb13b3b8ad75b40585975e42e334405f6bea4
-ENV           GOLANG_LINUX_PPC64LE_SHA512 39669a0d878020e94452ae8dab43be679833416cdf83618030897cf06cfeb3e23123a02419ea1d47e019c0ffb285a888adf404332d9026946fc5d5322af7e445
+ENV           GOLANG_VERSION 1.18.9
+ENV           GOLANG_LINUX_AMD64_SHA512 c56272caf01852d7ac536de9dfd7cde8901f48db4201914226db507fe7e2e9b21978469d4cba57f58ba53dc0730fbc65170bad6c98f3f9c955c95bd376d7ba80
+ENV           GOLANG_LINUX_ARM64_SHA512 97feccb8cc294148b606c9f1f7ac21ef2418a3be7ccdfbe9c766c79546b227d69ff9257664831cefae18a13ba0ededbe36adc19ac99c6bcfb7660953d0015c62
+ENV           GOLANG_LINUX_ARM_V7_SHA512 64c10752bbc8eee3c56380ac8a52b5b35c27ec0a394c2654519dfe824f0283772f72f0e9698507788d6a33fbb87ce12617656cbffa68155475539a3582bff08d
+ENV           GOLANG_LINUX_ARM_V6_SHA512 64c10752bbc8eee3c56380ac8a52b5b35c27ec0a394c2654519dfe824f0283772f72f0e9698507788d6a33fbb87ce12617656cbffa68155475539a3582bff08d
+ENV           GOLANG_LINUX_386_SHA512 25ccdfe55d8561d76bf0bebff2d52ecc9f92f378f40f7957beef4863d93a33e4c581883e22631898159fd2d6ae882b3c3fe5bf64e3a7c8cdf2aa7b540b4340ad
+ENV           GOLANG_LINUX_S390X_SHA512 6008647d3c64a5d850bc3e0f05d5ed1bcd83525a1f4c3367ab41ac7fd6a9cc6ed9991cf21a7e6d3c20f713c29bcfbe2131b64ccbaa53c34b35858f32c3c134d1
+ENV           GOLANG_LINUX_PPC64LE_SHA512 b3b9ef084a84b2183b874e609e7cf29cf1de2add1d0d40ceb8e45eaa3cd7c7a63902740491b44a7a503b5c83f087c2028f185909bdad70a4508a1ec711bdfb9a
 
 #14 3.760 ENV           GOLANG_VERSION 1.19.1
 #14 5.791 ENV           GOLANG_LINUX_AMD64_SHA512 a69153393a2eaf1c2b77f5a4bafe6a2fb36368c6856d79bd697472af71d925fc62c58e6b8fe75adf143b0462da2ed9e68d0fcd0328cde091be70d745b92814aa
@@ -46,8 +46,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
-              apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+deb11u2 \
+              apt-get install -y --no-install-recommends \
+                curl=7.74.0-1.3+deb11u3 \
                 gnupg=2.2.27-2+deb11u2 \
                 dirmngr=2.2.27-2+deb11u2 \
                 ca-certificates=20210119
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 603e611..32f5061 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-09-01
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-09-01
+ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-12-01
+ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-12-01
 
 #######################
 # Overlay
diff --git a/hack/test.sh b/hack/test.sh
index 00ed4ac..237227d 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,7 +9,7 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2022-09-01 \
+	  --inject date=2022-12-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
@@ -20,7 +20,7 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2022-09-01 \
+	  --inject date=2022-12-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then

From b275281c9154fede680676d1b21358e207392718 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Thu, 22 Dec 2022 18:41:12 -0800
Subject: [PATCH 36/51] Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.auditor | 6 +++---
 Dockerfile.builder | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index a585a98..3bfa7f2 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -17,13 +17,13 @@ RUN           --mount=type=secret,uid=100,id=CA \
               done; \
               apt-get update -qq; \
               apt-get install -y --no-install-recommends \
-                curl=7.74.0-1.3+deb11u2 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12+deb11u1 patchelf=0.12-1 \
+                curl=7.74.0-1.3+deb11u3 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12+deb11u1 patchelf=0.12-1 \
                 procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
-                dnsutils=1:9.16.27-1~deb11u1 iputils-ping=3:20210202-1 \
+                dnsutils=1:9.16.33-1~deb11u1 iputils-ping=3:20210202-1 \
                 lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
                 apt-get install -qq --no-install-recommends \
-                  libc6:"$architecture"=2.31-13+deb11u4; \
+                  libc6:"$architecture"=2.31-13+deb11u5; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index a8a414e..f8b317e 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -42,7 +42,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 libtool=2.4.6-15 \
 		            pkg-config=0.29.2-1 \
                 jq=1.6-2.1 \
-                curl=7.74.0-1.3+deb11u2 \
+                curl=7.74.0-1.3+deb11u3 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
               for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
@@ -50,8 +50,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
                   crossbuild-essential-"$architecture"=12.9 \
                   musl-dev:"$architecture"=1.2.2-1 \
                   musl:"$architecture"=1.2.2-1 \
-                  libc6:"$architecture"=2.31-13+deb11u4 \
-                  libc6-dev:"$architecture"=2.31-13+deb11u4; \
+                  libc6:"$architecture"=2.31-13+deb11u5 \
+                  libc6-dev:"$architecture"=2.31-13+deb11u5; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
@@ -251,7 +251,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+deb11u2 \
+                curl=7.74.0-1.3+deb11u3 \
                 ca-certificates=20210119 \
                 git=1:2.30.2-1; \
               apt-get -qq autoremove; \

From 1b8a1589a0dcd8f8afe9247a5e434a31ed874228 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 17 Jan 2023 18:06:57 -0800
Subject: [PATCH 37/51] Bump go

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
---
 Dockerfile.builder    |  4 ++--
 Dockerfile.downloader | 16 ++++++++--------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index f8b317e..96d2687 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -67,7 +67,7 @@ RUN           git config --global advice.detachedHead false
 # ADD           ./cache/overlay.tar /
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.18.9
+ENV           GOLANG_VERSION=1.18.10
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -211,7 +211,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.18.9
+ENV           GOLANG_VERSION=1.18.10
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 624c36f..4717d97 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -20,14 +20,14 @@ ENV           YARN_VERSION=1.22.5
 #ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
 #ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
 
-ENV           GOLANG_VERSION 1.18.9
-ENV           GOLANG_LINUX_AMD64_SHA512 c56272caf01852d7ac536de9dfd7cde8901f48db4201914226db507fe7e2e9b21978469d4cba57f58ba53dc0730fbc65170bad6c98f3f9c955c95bd376d7ba80
-ENV           GOLANG_LINUX_ARM64_SHA512 97feccb8cc294148b606c9f1f7ac21ef2418a3be7ccdfbe9c766c79546b227d69ff9257664831cefae18a13ba0ededbe36adc19ac99c6bcfb7660953d0015c62
-ENV           GOLANG_LINUX_ARM_V7_SHA512 64c10752bbc8eee3c56380ac8a52b5b35c27ec0a394c2654519dfe824f0283772f72f0e9698507788d6a33fbb87ce12617656cbffa68155475539a3582bff08d
-ENV           GOLANG_LINUX_ARM_V6_SHA512 64c10752bbc8eee3c56380ac8a52b5b35c27ec0a394c2654519dfe824f0283772f72f0e9698507788d6a33fbb87ce12617656cbffa68155475539a3582bff08d
-ENV           GOLANG_LINUX_386_SHA512 25ccdfe55d8561d76bf0bebff2d52ecc9f92f378f40f7957beef4863d93a33e4c581883e22631898159fd2d6ae882b3c3fe5bf64e3a7c8cdf2aa7b540b4340ad
-ENV           GOLANG_LINUX_S390X_SHA512 6008647d3c64a5d850bc3e0f05d5ed1bcd83525a1f4c3367ab41ac7fd6a9cc6ed9991cf21a7e6d3c20f713c29bcfbe2131b64ccbaa53c34b35858f32c3c134d1
-ENV           GOLANG_LINUX_PPC64LE_SHA512 b3b9ef084a84b2183b874e609e7cf29cf1de2add1d0d40ceb8e45eaa3cd7c7a63902740491b44a7a503b5c83f087c2028f185909bdad70a4508a1ec711bdfb9a
+ENV           GOLANG_VERSION 1.18.10
+ENV           GOLANG_LINUX_AMD64_SHA512 2f1986ae1a95f1e2e735abdf2240770210482215c03293322ce9d3cb7b5c7b2904943827154d048771b00fa95d9b5e659d8077873dea0352d7d8cca8880ce204
+ENV           GOLANG_LINUX_ARM64_SHA512 a488de01c7eefa02833d153c79ffed5fd126b6d84418c285fd4577f6dfa235a648eb3bbd160eb53d187db512a13015f9bb9310a32ef2b2141d869155c282b3df
+ENV           GOLANG_LINUX_ARM_V7_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
+ENV           GOLANG_LINUX_ARM_V6_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
+ENV           GOLANG_LINUX_386_SHA512 7ad352c874bdc931dea7bd99a34762f5d96bfd63e08cb4ff74a2db19c4ad0cb3bced57c97f683a6bd9a737aaee0ffe1d74f39b0cf81897b89e8dae1187acb634
+ENV           GOLANG_LINUX_S390X_SHA512 1919eda41493a86d6e70ccd98102d767a68621363c2d178fb329e4fedc5de0094acf2e19fa56cb4e288085bdef1cf932cf836a609837e10f50384e716e899c2f
+ENV           GOLANG_LINUX_PPC64LE_SHA512 4017fe35e57af3354f8576ac9b450da7df54773979d2de74baf6ea61375d196ffa84c17074e53ea63510cc75b3401d6c71d51b5b3eafb9aee7828fafa1d7b9cb
 
 #14 3.760 ENV           GOLANG_VERSION 1.19.1
 #14 5.791 ENV           GOLANG_LINUX_AMD64_SHA512 a69153393a2eaf1c2b77f5a4bafe6a2fb36368c6856d79bd697472af71d925fc62c58e6b8fe75adf143b0462da2ed9e68d0fcd0328cde091be70d745b92814aa

From cb5a5b1a969a6b4aba5b9a5ff4fef573a087e485 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Thu, 7 Sep 2023 10:59:10 -0700
Subject: [PATCH 38/51] Bump

---
 Dockerfile.auditor               | 16 ++++++-------
 Dockerfile.builder               | 39 ++++++++++++++++----------------
 Dockerfile.downloader            | 33 +++++++++++++++------------
 Dockerfile.runtime               |  8 +++----
 context/scripts/entrypoint.sh    |  9 +++++---
 context/scripts/version_check.sh |  3 ++-
 hack/recipe.cue                  | 38 +++++++++++++++----------------
 7 files changed, 78 insertions(+), 68 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 3bfa7f2..cd92822 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-12-01
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-01
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -12,18 +12,18 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=NETRC \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+              for architecture in arm64 amd64; do \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
               apt-get install -y --no-install-recommends \
-                curl=7.74.0-1.3+deb11u3 file=1:5.39-3 binutils=2.35.2-2 schroot=1.6.10-12+deb11u1 patchelf=0.12-1 \
-                procps=2:3.3.17-5 iproute2=5.10.0-4 libcap2-bin=1:2.44-1 \
-                dnsutils=1:9.16.33-1~deb11u1 iputils-ping=3:20210202-1 \
-                lynis=3.0.2-1 devscripts=2.21.3+deb11u1; \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+                curl=7.88.1-10+deb12u1 file=1:5.44-3 binutils=2.40-2 schroot=1.6.13-3+b2 patchelf=0.14.3-1+b1 \
+                procps=2:4.0.2-3 iproute2=6.1.0-3 libcap2-bin=1:2.66-4 \
+                dnsutils=1:9.18.16-1~deb12u1 iputils-ping=3:20221126-1 \
+                lynis=3.0.8-1.1 devscripts=2.23.4; \
+              for architecture in arm64 amd64; do \
                 apt-get install -qq --no-install-recommends \
-                  libc6:"$architecture"=2.31-13+deb11u5; \
+                  libc6:"$architecture"=2.36-9+deb12u1; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 96d2687..b527422 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-12-01
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-01
 
 #######################
 # Actual "builder" image
@@ -31,27 +31,28 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=NETRC \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+              for architecture in arm64 amd64; do \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
+              echo done; \
               apt-get install -y --no-install-recommends \
                 build-essential=12.9 \
-                autoconf=2.69-14 \
-                automake=1:1.16.3-2 \
-                libtool=2.4.6-15 \
-		            pkg-config=0.29.2-1 \
+                autoconf=2.71-3 \
+                automake=1:1.16.5-1.3 \
+                libtool=2.4.7-5 \
+		            pkg-config=1.8.1-1 \
                 jq=1.6-2.1 \
-                curl=7.74.0-1.3+deb11u3 \
-                ca-certificates=20210119 \
-                git=1:2.30.2-1; \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+                curl=7.88.1-10+deb12u1 \
+                ca-certificates=20230311 \
+                git=1:2.39.2-1.1; \
+              for architecture in arm64 amd64; do \
                 apt-get install -y --no-install-recommends \
                   crossbuild-essential-"$architecture"=12.9 \
-                  musl-dev:"$architecture"=1.2.2-1 \
-                  musl:"$architecture"=1.2.2-1 \
-                  libc6:"$architecture"=2.31-13+deb11u5 \
-                  libc6-dev:"$architecture"=2.31-13+deb11u5; \
+                  musl-dev:"$architecture"=1.2.3-1 \
+                  musl:"$architecture"=1.2.3-1 \
+                  libc6:"$architecture"=2.36-9+deb12u1 \
+                  libc6-dev:"$architecture"=2.36-9+deb12u1; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
@@ -67,7 +68,7 @@ RUN           git config --global advice.detachedHead false
 # ADD           ./cache/overlay.tar /
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.18.10
+ENV           GOLANG_VERSION=1.20.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -151,7 +152,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=16.19.0
+ENV           NODE_VERSION=16.20.2
 ENV           YARN_VERSION=1.22.5
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
@@ -211,7 +212,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.18.10
+ENV           GOLANG_VERSION=1.20.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -251,8 +252,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.74.0-1.3+deb11u3 \
-                ca-certificates=20210119 \
+                curl=7.88.1-10+deb12u1 \
+                ca-certificates=20230311 \
                 git=1:2.30.2-1; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 4717d97..20f1e1b 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-12-01
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-01
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,7 +8,7 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=16.19.0
+ENV           NODE_VERSION=16.20.2
 ENV           YARN_VERSION=1.22.5
 
 #ENV           GOLANG_VERSION 1.17.13
@@ -20,14 +20,15 @@ ENV           YARN_VERSION=1.22.5
 #ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
 #ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
 
-ENV           GOLANG_VERSION 1.18.10
-ENV           GOLANG_LINUX_AMD64_SHA512 2f1986ae1a95f1e2e735abdf2240770210482215c03293322ce9d3cb7b5c7b2904943827154d048771b00fa95d9b5e659d8077873dea0352d7d8cca8880ce204
-ENV           GOLANG_LINUX_ARM64_SHA512 a488de01c7eefa02833d153c79ffed5fd126b6d84418c285fd4577f6dfa235a648eb3bbd160eb53d187db512a13015f9bb9310a32ef2b2141d869155c282b3df
-ENV           GOLANG_LINUX_ARM_V7_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
-ENV           GOLANG_LINUX_ARM_V6_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
-ENV           GOLANG_LINUX_386_SHA512 7ad352c874bdc931dea7bd99a34762f5d96bfd63e08cb4ff74a2db19c4ad0cb3bced57c97f683a6bd9a737aaee0ffe1d74f39b0cf81897b89e8dae1187acb634
-ENV           GOLANG_LINUX_S390X_SHA512 1919eda41493a86d6e70ccd98102d767a68621363c2d178fb329e4fedc5de0094acf2e19fa56cb4e288085bdef1cf932cf836a609837e10f50384e716e899c2f
-ENV           GOLANG_LINUX_PPC64LE_SHA512 4017fe35e57af3354f8576ac9b450da7df54773979d2de74baf6ea61375d196ffa84c17074e53ea63510cc75b3401d6c71d51b5b3eafb9aee7828fafa1d7b9cb
+#ENV           GOLANG_VERSION 1.18.10
+#ENV           GOLANG_LINUX_AMD64_SHA512 2f1986ae1a95f1e2e735abdf2240770210482215c03293322ce9d3cb7b5c7b2904943827154d048771b00fa95d9b5e659d8077873dea0352d7d8cca8880ce204
+#ENV           GOLANG_LINUX_ARM64_SHA512 a488de01c7eefa02833d153c79ffed5fd126b6d84418c285fd4577f6dfa235a648eb3bbd160eb53d187db512a13015f9bb9310a32ef2b2141d869155c282b3df
+
+#ENV           GOLANG_LINUX_ARM_V7_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
+#ENV           GOLANG_LINUX_ARM_V6_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
+#ENV           GOLANG_LINUX_386_SHA512 7ad352c874bdc931dea7bd99a34762f5d96bfd63e08cb4ff74a2db19c4ad0cb3bced57c97f683a6bd9a737aaee0ffe1d74f39b0cf81897b89e8dae1187acb634
+#ENV           GOLANG_LINUX_S390X_SHA512 1919eda41493a86d6e70ccd98102d767a68621363c2d178fb329e4fedc5de0094acf2e19fa56cb4e288085bdef1cf932cf836a609837e10f50384e716e899c2f
+#ENV           GOLANG_LINUX_PPC64LE_SHA512 4017fe35e57af3354f8576ac9b450da7df54773979d2de74baf6ea61375d196ffa84c17074e53ea63510cc75b3401d6c71d51b5b3eafb9aee7828fafa1d7b9cb
 
 #14 3.760 ENV           GOLANG_VERSION 1.19.1
 #14 5.791 ENV           GOLANG_LINUX_AMD64_SHA512 a69153393a2eaf1c2b77f5a4bafe6a2fb36368c6856d79bd697472af71d925fc62c58e6b8fe75adf143b0462da2ed9e68d0fcd0328cde091be70d745b92814aa
@@ -35,6 +36,10 @@ ENV           GOLANG_LINUX_PPC64LE_SHA512 4017fe35e57af3354f8576ac9b450da7df5477
 #14 9.211 ENV           GOLANG_LINUX_ARM_V7_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
 #14 10.77 ENV           GOLANG_LINUX_ARM_V6_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
 
+ENV           GOLANG_VERSION 1.20.8
+ENV           GOLANG_LINUX_AMD64_SHA512 25fca289e35b09120935389e56733b3f6e849a98f819228708e6ca6202df0f07542dfc82b8447d959e9a2fc1fee27742f4ab397229c6cb883d7a2280e6176f38
+ENV           GOLANG_LINUX_ARM64_SHA512 d77c5139c49c644389876f64ebc58ae2f0eb87e5eca7d98edbb948160e78e2930a340ad350ed53738037f25f6986fd70ffb49097984ec26a8991ef5881b35c4a
+
 ENV           FAIL_WHEN_OUTDATED=true
 
 # hadolint ignore=DL3009
@@ -47,10 +52,10 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -y --no-install-recommends \
-                curl=7.74.0-1.3+deb11u3 \
-                gnupg=2.2.27-2+deb11u2 \
-                dirmngr=2.2.27-2+deb11u2 \
-                ca-certificates=20210119
+                curl=7.88.1-10+deb12u1 \
+                gnupg=2.2.40-1.1 \
+                dirmngr=2.2.40-1.1 \
+                ca-certificates=20230311
 
 COPY          ./scripts /scripts
 
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 32f5061..797899b 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bullseye-2022-12-01
-ARG           FROM_IMAGE_BUILDER=debian:bullseye-2022-12-01
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-01
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-01
 
 #######################
 # Overlay
@@ -23,7 +23,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                ca-certificates=20210119
+                ca-certificates=20230311
 
 RUN           update-ca-certificates
 
@@ -60,7 +60,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq && \
-              apt-get install -qq --no-install-recommends bash-static=5.1-2+deb11u1 && \
+              apt-get install -qq --no-install-recommends bash-static=5.2.15-2+b2 && \
               mkdir -p /boot/bin && \
               cp /bin/bash-static /boot/bin/bash && \
               apt-get -qq purge bash-static && \
diff --git a/context/scripts/entrypoint.sh b/context/scripts/entrypoint.sh
index 219ff4a..ab804cf 100755
--- a/context/scripts/entrypoint.sh
+++ b/context/scripts/entrypoint.sh
@@ -19,7 +19,8 @@ init::golang(){
 }
 
 platforms::golang() {
-  printf "linux/amd64 linux/arm64 linux/arm/v7 linux/arm/v6 linux/386 linux/ppc64le linux/s390x"
+  printf "linux/amd64 linux/arm64"
+  # linux/arm/v7 linux/arm/v6 linux/386 linux/ppc64le linux/s390x"
 }
 
 checksum::golang() {
@@ -118,7 +119,8 @@ init::node() {
 }
 
 platforms::node() {
-  printf "linux/amd64 linux/arm64 linux/arm/v7 linux/ppc64le linux/s390x" # linux/arm/v6
+  printf "linux/amd64 linux/arm64"
+  # linux/arm/v7 linux/ppc64le linux/s390x" # linux/arm/v6
 }
 
 url::node() {
@@ -206,7 +208,8 @@ init::yarn() {
 }
 
 platforms::yarn() {
-  printf "linux/amd64 linux/arm64 linux/arm/v7 linux/arm/v6 linux/ppc64le linux/s390x"
+  printf "linux/amd64 linux/arm64"
+  # linux/arm/v7 linux/arm/v6 linux/ppc64le linux/s390x"
 }
 
 url::yarn() {
diff --git a/context/scripts/version_check.sh b/context/scripts/version_check.sh
index 053bc11..f9a2396 100755
--- a/context/scripts/version_check.sh
+++ b/context/scripts/version_check.sh
@@ -40,7 +40,8 @@ check::golang() {
   if ! newversion=$(version::latest::patch url::golang "$version" "linux/amd64"); then
     logger::error "There is a more recent patch for the version of golang you want. You must update:"
 
-    version::latest::checksum "golang" "$newversion" "linux/amd64" "linux/arm64" "linux/arm/v7" "linux/arm/v6" "linux/386" "linux/s390x" "linux/ppc64le"
+    version::latest::checksum "golang" "$newversion" "linux/amd64" "linux/arm64"
+    # "linux/arm/v7" "linux/arm/v6" "linux/386" "linux/s390x" "linux/ppc64le"
 
     [ ! "$FAIL_WHEN_OUTDATED" ] || {
       logger::error "We will stop now - if you really want to NOT update though and build with that, set the build argument 'FAIL_WHEN_OUTDATED='";
diff --git a/hack/recipe.cue b/hack/recipe.cue
index ef3c2c0..8805648 100644
--- a/hack/recipe.cue
+++ b/hack/recipe.cue
@@ -73,11 +73,11 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#I386,
-					types.#Platforms.#V7,
-					types.#Platforms.#V6,
-					types.#Platforms.#S390X,
-					types.#Platforms.#PPC64LE,
+					// types.#Platforms.#I386,
+					// types.#Platforms.#V7,
+					// types.#Platforms.#V6,
+					// types.#Platforms.#S390X,
+					// types.#Platforms.#PPC64LE,
 				]
 			}
 
@@ -105,9 +105,9 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#V7,
-					types.#Platforms.#S390X,
-					types.#Platforms.#PPC64LE,
+					// types.#Platforms.#V7,
+					// types.#Platforms.#S390X,
+					// types.#Platforms.#PPC64LE,
 				]
 			}
 
@@ -135,11 +135,11 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#I386,
-					types.#Platforms.#V7,
-					types.#Platforms.#V6,
-					types.#Platforms.#S390X,
-					types.#Platforms.#PPC64LE,
+					// types.#Platforms.#I386,
+					// types.#Platforms.#V7,
+					// types.#Platforms.#V6,
+					// types.#Platforms.#S390X,
+					// types.#Platforms.#PPC64LE,
 				]
 			}
 
@@ -167,11 +167,11 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#I386,
-					types.#Platforms.#V7,
-					types.#Platforms.#V6,
-					types.#Platforms.#S390X,
-					types.#Platforms.#PPC64LE,
+					// types.#Platforms.#I386,
+					// types.#Platforms.#V7,
+					// types.#Platforms.#V6,
+					// types.#Platforms.#S390X,
+					// types.#Platforms.#PPC64LE,
 				]
 			}
 
@@ -205,7 +205,7 @@ cakes: {
 
 // Injectors
 injectors: {
-	suite: =~ "^(?:jessie|stretch|buster|bullseye|sid)$" @tag(suite, type=string)
+	suite: =~ "^(?:bullseye|bookworm|trixie|sid)$" @tag(suite, type=string)
 	date: =~ "^[0-9]{4}-[0-9]{2}-[0-9]{2}$" @tag(date, type=string)
 	platforms: string @tag(platforms, type=string)
 	registry: string @tag(registry, type=string)

From dc7dc14abc52ee1c43d96dbef1cd281e5246e5bb Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Thu, 7 Sep 2023 12:53:39 -0700
Subject: [PATCH 39/51] Fix git version

---
 Dockerfile.builder | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index b527422..75c8809 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -254,7 +254,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               apt-get install -qq --no-install-recommends \
                 curl=7.88.1-10+deb12u1 \
                 ca-certificates=20230311 \
-                git=1:2.30.2-1; \
+                git=1:2.39.2-1.1; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
               rm -rf /var/lib/apt/lists/*; \

From 19727c2f84497490931f9f56f17c91dd4eddffa1 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 11 Sep 2023 19:24:16 -0700
Subject: [PATCH 40/51] Bump

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 10b083a..8da07fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /.idea
 */cache/*
 cache
+*trace.json

From ad94e275c50106c10586bb2b841bda3de7091f45 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 11 Sep 2023 21:22:48 -0700
Subject: [PATCH 41/51] Reintroduce armv7

---
 context/scripts/entrypoint.sh    | 12 ++++++------
 context/scripts/version_check.sh |  7 ++++---
 hack/recipe.cue                  |  8 ++++----
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/context/scripts/entrypoint.sh b/context/scripts/entrypoint.sh
index ab804cf..765c134 100755
--- a/context/scripts/entrypoint.sh
+++ b/context/scripts/entrypoint.sh
@@ -19,8 +19,8 @@ init::golang(){
 }
 
 platforms::golang() {
-  printf "linux/amd64 linux/arm64"
-  # linux/arm/v7 linux/arm/v6 linux/386 linux/ppc64le linux/s390x"
+  printf "linux/amd64 linux/arm64 linux/arm/v7"
+  # linux/arm/v6 linux/386 linux/ppc64le linux/s390x"
 }
 
 checksum::golang() {
@@ -119,8 +119,8 @@ init::node() {
 }
 
 platforms::node() {
-  printf "linux/amd64 linux/arm64"
-  # linux/arm/v7 linux/ppc64le linux/s390x" # linux/arm/v6
+  printf "linux/amd64 linux/arm64 linux/arm/v7"
+  #  linux/ppc64le linux/s390x" # linux/arm/v6
 }
 
 url::node() {
@@ -208,8 +208,8 @@ init::yarn() {
 }
 
 platforms::yarn() {
-  printf "linux/amd64 linux/arm64"
-  # linux/arm/v7 linux/arm/v6 linux/ppc64le linux/s390x"
+  printf "linux/amd64 linux/arm64 linux/arm/v7"
+  # linux/arm/v6 linux/ppc64le linux/s390x"
 }
 
 url::yarn() {
diff --git a/context/scripts/version_check.sh b/context/scripts/version_check.sh
index f9a2396..4530185 100755
--- a/context/scripts/version_check.sh
+++ b/context/scripts/version_check.sh
@@ -40,8 +40,8 @@ check::golang() {
   if ! newversion=$(version::latest::patch url::golang "$version" "linux/amd64"); then
     logger::error "There is a more recent patch for the version of golang you want. You must update:"
 
-    version::latest::checksum "golang" "$newversion" "linux/amd64" "linux/arm64"
-    # "linux/arm/v7" "linux/arm/v6" "linux/386" "linux/s390x" "linux/ppc64le"
+    version::latest::checksum "golang" "$newversion" "linux/amd64" "linux/arm64" "linux/arm/v7"
+    # "linux/arm/v6" "linux/386" "linux/s390x" "linux/ppc64le"
 
     [ ! "$FAIL_WHEN_OUTDATED" ] || {
       logger::error "We will stop now - if you really want to NOT update though and build with that, set the build argument 'FAIL_WHEN_OUTDATED='";
@@ -54,7 +54,8 @@ check::golang() {
     ! newversion=$(version::latest::patch url::golang "$newversion" "linux/amd64")
     logger::warning "Although you are running a fully patched version of golang ($version), there is a new minor version that you should migrate to:"
 
-    version::latest::checksum "golang" "$newversion" "linux/amd64" "linux/arm64" "linux/arm/v7" "linux/arm/v6"
+    version::latest::checksum "golang" "$newversion" "linux/amd64" "linux/arm64" "linux/arm/v7"
+    # "linux/arm/v6"
   fi
 }
 
diff --git a/hack/recipe.cue b/hack/recipe.cue
index 8805648..2d659dd 100644
--- a/hack/recipe.cue
+++ b/hack/recipe.cue
@@ -73,8 +73,8 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
+					types.#Platforms.#V7,
 					// types.#Platforms.#I386,
-					// types.#Platforms.#V7,
 					// types.#Platforms.#V6,
 					// types.#Platforms.#S390X,
 					// types.#Platforms.#PPC64LE,
@@ -105,7 +105,7 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					// types.#Platforms.#V7,
+					types.#Platforms.#V7,
 					// types.#Platforms.#S390X,
 					// types.#Platforms.#PPC64LE,
 				]
@@ -135,8 +135,8 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
+					types.#Platforms.#V7,
 					// types.#Platforms.#I386,
-					// types.#Platforms.#V7,
 					// types.#Platforms.#V6,
 					// types.#Platforms.#S390X,
 					// types.#Platforms.#PPC64LE,
@@ -167,8 +167,8 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
+					types.#Platforms.#V7,
 					// types.#Platforms.#I386,
-					// types.#Platforms.#V7,
 					// types.#Platforms.#V6,
 					// types.#Platforms.#S390X,
 					// types.#Platforms.#PPC64LE,

From 9f1ac00771cbad84f1de0fc07608b007ee2fdedc Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 13 Sep 2023 10:32:37 -0700
Subject: [PATCH 42/51] Reintroduce armv7

---
 Dockerfile.auditor    | 2 +-
 Dockerfile.builder    | 2 +-
 Dockerfile.downloader | 3 ++-
 Dockerfile.runtime    | 4 ++--
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index cd92822..f63caf0 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-01
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-08
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 75c8809..dd92ad9 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-01
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-08
 
 #######################
 # Actual "builder" image
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 20f1e1b..43be0e0 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-01
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-08
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -39,6 +39,7 @@ ENV           YARN_VERSION=1.22.5
 ENV           GOLANG_VERSION 1.20.8
 ENV           GOLANG_LINUX_AMD64_SHA512 25fca289e35b09120935389e56733b3f6e849a98f819228708e6ca6202df0f07542dfc82b8447d959e9a2fc1fee27742f4ab397229c6cb883d7a2280e6176f38
 ENV           GOLANG_LINUX_ARM64_SHA512 d77c5139c49c644389876f64ebc58ae2f0eb87e5eca7d98edbb948160e78e2930a340ad350ed53738037f25f6986fd70ffb49097984ec26a8991ef5881b35c4a
+ENV           GOLANG_LINUX_ARM_V7_SHA512 bc30043d5d781891bb08af9d8fcd32a6279cd654fb287a21cb4d57086dafc46ebae78486826ffe0d94b8aa974bd0004408c93f4530288b7c3267bc7950ef52c1
 
 ENV           FAIL_WHEN_OUTDATED=true
 
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 797899b..c9f2d88 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-01
-ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-01
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-08
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-08
 
 #######################
 # Overlay

From ca32f727d6ce62df6555e9534431a9388609617f Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 24 Feb 2024 18:31:04 -0800
Subject: [PATCH 43/51] Bump version and disable yarn security check as they
 porked it :/

---
 Dockerfile.auditor            |  6 +++---
 Dockerfile.builder            | 10 +++++-----
 Dockerfile.downloader         | 10 +++++-----
 Dockerfile.runtime            |  4 ++--
 context/scripts/entrypoint.sh |  6 +++++-
 5 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index f63caf0..4b99357 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-08
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-02-20
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -17,9 +17,9 @@ RUN           --mount=type=secret,uid=100,id=CA \
               done; \
               apt-get update -qq; \
               apt-get install -y --no-install-recommends \
-                curl=7.88.1-10+deb12u1 file=1:5.44-3 binutils=2.40-2 schroot=1.6.13-3+b2 patchelf=0.14.3-1+b1 \
+                curl=7.88.1-10+deb12u5 file=1:5.44-3 binutils=2.40-2 schroot=1.6.13-3+b2 patchelf=0.14.3-1+b1 \
                 procps=2:4.0.2-3 iproute2=6.1.0-3 libcap2-bin=1:2.66-4 \
-                dnsutils=1:9.18.16-1~deb12u1 iputils-ping=3:20221126-1 \
+                dnsutils=1:9.18.24-1 iputils-ping=3:20221126-1 \
                 lynis=3.0.8-1.1 devscripts=2.23.4; \
               for architecture in arm64 amd64; do \
                 apt-get install -qq --no-install-recommends \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index dd92ad9..656fc9b 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-08
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-02-20
 
 #######################
 # Actual "builder" image
@@ -43,7 +43,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 libtool=2.4.7-5 \
 		            pkg-config=1.8.1-1 \
                 jq=1.6-2.1 \
-                curl=7.88.1-10+deb12u1 \
+                curl=7.88.1-10+deb12u5 \
                 ca-certificates=20230311 \
                 git=1:2.39.2-1.1; \
               for architecture in arm64 amd64; do \
@@ -152,8 +152,8 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 ARG           TARGETPLATFORM
 
 # Add node
-ENV           NODE_VERSION=16.20.2
-ENV           YARN_VERSION=1.22.5
+ENV           NODE_VERSION=20.11.1
+ENV           YARN_VERSION=1.22.21
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
 ADD           ./cache/$TARGETPLATFORM/yarn-$YARN_VERSION.tar.gz /opt
@@ -252,7 +252,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -qq --no-install-recommends \
-                curl=7.88.1-10+deb12u1 \
+                curl=7.88.1-10+deb12u5 \
                 ca-certificates=20230311 \
                 git=1:2.39.2-1.1; \
               apt-get -qq autoremove; \
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 43be0e0..38ab85f 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-08
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-02-20
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -8,8 +8,8 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
-ENV           NODE_VERSION=16.20.2
-ENV           YARN_VERSION=1.22.5
+ENV           NODE_VERSION=20.11.1
+ENV           YARN_VERSION=1.22.21
 
 #ENV           GOLANG_VERSION 1.17.13
 #ENV           GOLANG_LINUX_AMD64_SHA512 672ce66bd7f1400b66d367f1026f3d7062201a8d686b4c1813ccade597ebbe89f9bd98130badd1d7bc6f2cf4020d63a4e71323b44a96fad842d5766ca92aa822
@@ -36,7 +36,7 @@ ENV           YARN_VERSION=1.22.5
 #14 9.211 ENV           GOLANG_LINUX_ARM_V7_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
 #14 10.77 ENV           GOLANG_LINUX_ARM_V6_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
 
-ENV           GOLANG_VERSION 1.20.8
+ENV           GOLANG_VERSION 1.21.7
 ENV           GOLANG_LINUX_AMD64_SHA512 25fca289e35b09120935389e56733b3f6e849a98f819228708e6ca6202df0f07542dfc82b8447d959e9a2fc1fee27742f4ab397229c6cb883d7a2280e6176f38
 ENV           GOLANG_LINUX_ARM64_SHA512 d77c5139c49c644389876f64ebc58ae2f0eb87e5eca7d98edbb948160e78e2930a340ad350ed53738037f25f6986fd70ffb49097984ec26a8991ef5881b35c4a
 ENV           GOLANG_LINUX_ARM_V7_SHA512 bc30043d5d781891bb08af9d8fcd32a6279cd654fb287a21cb4d57086dafc46ebae78486826ffe0d94b8aa974bd0004408c93f4530288b7c3267bc7950ef52c1
@@ -53,7 +53,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
               apt-get install -y --no-install-recommends \
-                curl=7.88.1-10+deb12u1 \
+                curl=7.88.1-10+deb12u5 \
                 gnupg=2.2.40-1.1 \
                 dirmngr=2.2.40-1.1 \
                 ca-certificates=20230311
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index c9f2d88..4e88eaf 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2023-09-08
-ARG           FROM_IMAGE_BUILDER=debian:bookworm-2023-09-08
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-02-20
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-02-20
 
 #######################
 # Overlay
diff --git a/context/scripts/entrypoint.sh b/context/scripts/entrypoint.sh
index 765c134..06dee4e 100755
--- a/context/scripts/entrypoint.sh
+++ b/context/scripts/entrypoint.sh
@@ -230,7 +230,11 @@ checksum::yarn() {
 
   cache::download "$arch" "yarn-$version.asc" "https://yarnpkg.com/downloads/$version/yarn-v$version.tar.gz.asc"
   logger::debug "Verifying Yarn signature"
-  gpg --batch --verify "$(cache::path "$arch" "yarn-$version.asc")" "$(cache::path "$arch" "$binary")"
+  # XXX RED ALERT - Yarn is currently broken and has been for a while now
+  # It is pretty clear they dont maintain it anymore
+  # See first warning here from last November
+  # https://github.com/yarnpkg/yarn/releases/tag/v1.22.20
+  # gpg --batch --verify "$(cache::path "$arch" "yarn-$version.asc")" "$(cache::path "$arch" "$binary")"
 }
 
 

From f983ca1da6d98646cbd917b2cb50126c9c924de4 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sat, 24 Feb 2024 18:47:01 -0800
Subject: [PATCH 44/51] Golang bump

---
 Dockerfile.downloader | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 38ab85f..2b2e465 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -37,9 +37,9 @@ ENV           YARN_VERSION=1.22.21
 #14 10.77 ENV           GOLANG_LINUX_ARM_V6_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
 
 ENV           GOLANG_VERSION 1.21.7
-ENV           GOLANG_LINUX_AMD64_SHA512 25fca289e35b09120935389e56733b3f6e849a98f819228708e6ca6202df0f07542dfc82b8447d959e9a2fc1fee27742f4ab397229c6cb883d7a2280e6176f38
-ENV           GOLANG_LINUX_ARM64_SHA512 d77c5139c49c644389876f64ebc58ae2f0eb87e5eca7d98edbb948160e78e2930a340ad350ed53738037f25f6986fd70ffb49097984ec26a8991ef5881b35c4a
-ENV           GOLANG_LINUX_ARM_V7_SHA512 bc30043d5d781891bb08af9d8fcd32a6279cd654fb287a21cb4d57086dafc46ebae78486826ffe0d94b8aa974bd0004408c93f4530288b7c3267bc7950ef52c1
+ENV           GOLANG_LINUX_AMD64_SHA512 c3a4ec79e01d437b094df5043cda6af593f3f303aa48d56aa10beeb1bc22bf568009fbd56da9d078cf044bfcd723a1626c7b9e5f771a3de38b0ce6df21b6b1b6
+ENV           GOLANG_LINUX_ARM64_SHA512 13610e247d44644f02625cd5e98a2aef6eb98268710d593a1eb065b89f0418164b6b0040a297b86df862870ac34492905a07911c4b41570d6e7637e515c2bcc8
+ENV           GOLANG_LINUX_ARM_V7_SHA512 8a57f9a60ff761c7bae70ab8d3d3f2f398f8a24a2c3509c28cc513e58fd406971a7edb1d619c58468a9f2a59ad2b3ba7ccf82915783f54e83547863631ec6912
 
 ENV           FAIL_WHEN_OUTDATED=true
 

From c0017189700d3d8c4b20a2a9819880b61753745b Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 26 Feb 2024 16:36:55 -0800
Subject: [PATCH 45/51] bump

---
 Dockerfile.auditor | 2 +-
 Dockerfile.builder | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 4b99357..090747e 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -23,7 +23,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 lynis=3.0.8-1.1 devscripts=2.23.4; \
               for architecture in arm64 amd64; do \
                 apt-get install -qq --no-install-recommends \
-                  libc6:"$architecture"=2.36-9+deb12u1; \
+                  libc6:"$architecture"=2.36-9+deb12u4; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 656fc9b..defaafc 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -35,7 +35,6 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
-              echo done; \
               apt-get install -y --no-install-recommends \
                 build-essential=12.9 \
                 autoconf=2.71-3 \
@@ -51,8 +50,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
                   crossbuild-essential-"$architecture"=12.9 \
                   musl-dev:"$architecture"=1.2.3-1 \
                   musl:"$architecture"=1.2.3-1 \
-                  libc6:"$architecture"=2.36-9+deb12u1 \
-                  libc6-dev:"$architecture"=2.36-9+deb12u1; \
+                  libc6:"$architecture"=2.36-9+deb12u4 \
+                  libc6-dev:"$architecture"=2.36-9+deb12u4; \
               done; \
               apt-get -qq autoremove; \
               apt-get -qq clean; \

From 932cd2de41aa81b691024ad12f0dce6d83708b87 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Mon, 26 Feb 2024 16:40:15 -0800
Subject: [PATCH 46/51] rebump

---
 Dockerfile.auditor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 090747e..1e16c68 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -20,7 +20,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 curl=7.88.1-10+deb12u5 file=1:5.44-3 binutils=2.40-2 schroot=1.6.13-3+b2 patchelf=0.14.3-1+b1 \
                 procps=2:4.0.2-3 iproute2=6.1.0-3 libcap2-bin=1:2.66-4 \
                 dnsutils=1:9.18.24-1 iputils-ping=3:20221126-1 \
-                lynis=3.0.8-1.1 devscripts=2.23.4; \
+                lynis=3.0.8-1.1 devscripts=2.23.4+deb12u1; \
               for architecture in arm64 amd64; do \
                 apt-get install -qq --no-install-recommends \
                   libc6:"$architecture"=2.36-9+deb12u4; \

From 605a0cb7d8b04132f29f110a2d8199838d63e2d7 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 27 Feb 2024 22:28:17 -0800
Subject: [PATCH 47/51] bump go

---
 Dockerfile.builder | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index defaafc..125249a 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -67,7 +67,7 @@ RUN           git config --global advice.detachedHead false
 # ADD           ./cache/overlay.tar /
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.20.8
+ENV           GOLANG_VERSION=1.21.7
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -211,7 +211,7 @@ ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
 #ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.20.8
+ENV           GOLANG_VERSION=1.21.7
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 

From 59d9f4c2559cd69cb42d58173f012ef08b296c8b Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Wed, 13 Mar 2024 16:01:13 -0700
Subject: [PATCH 48/51] The end of arm7

---
 hack/recipe.cue | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hack/recipe.cue b/hack/recipe.cue
index 2d659dd..93cf588 100644
--- a/hack/recipe.cue
+++ b/hack/recipe.cue
@@ -73,7 +73,7 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#V7,
+					// types.#Platforms.#V7,
 					// types.#Platforms.#I386,
 					// types.#Platforms.#V6,
 					// types.#Platforms.#S390X,
@@ -105,7 +105,7 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#V7,
+					// types.#Platforms.#V7,
 					// types.#Platforms.#S390X,
 					// types.#Platforms.#PPC64LE,
 				]
@@ -135,7 +135,7 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#V7,
+					// types.#Platforms.#V7,
 					// types.#Platforms.#I386,
 					// types.#Platforms.#V6,
 					// types.#Platforms.#S390X,
@@ -167,7 +167,7 @@ cakes: {
 				platforms: types.#Platforms | * [
 					types.#Platforms.#AMD64,
 					types.#Platforms.#ARM64,
-					types.#Platforms.#V7,
+					// types.#Platforms.#V7,
 					// types.#Platforms.#I386,
 					// types.#Platforms.#V6,
 					// types.#Platforms.#S390X,

From 0d26a75bbc08649f3af1200a37a564905e175e4e Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sun, 17 Mar 2024 02:58:01 -0700
Subject: [PATCH 49/51] Springtime

---
 .github/workflows/CI.yml                            |  6 +++---
 .gitignore                                          |  5 ++---
 Dockerfile.auditor                                  |  4 ++--
 Dockerfile.builder                                  |  6 +++---
 Dockerfile.downloader                               |  4 ++--
 Dockerfile.runtime                                  |  4 ++--
 README.md                                           |  4 ++--
 .../duponey.cloud/buildkit/buildctl/buildctl.cue    |  2 +-
 cue.mod/pkg/duponey.cloud/scullery/icing.cue        |  2 +-
 hack/build.sh                                       |  6 ++++--
 hack/{ => helpers}/cue_tool.cue                     |  0
 hack/helpers/install-tools.sh                       |  8 ++++----
 hack/helpers/start-buildkit.sh                      | 13 ++++++-------
 hack/lint.sh                                        |  7 ++++---
 hack/test.sh                                        |  8 ++++----
 15 files changed, 40 insertions(+), 39 deletions(-)
 rename hack/{ => helpers}/cue_tool.cue (100%)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 31f466c..c069344 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -10,12 +10,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checks-out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: true
 
       - name: Enable cache
-        uses: actions/cache@v2.1.1
+        uses: actions/cache@v4
         with:
           path: $GITHUB_WORKSPACE/cache
           key: cache
@@ -50,7 +50,7 @@ jobs:
       - name: test
         run: |
           # Set the path and install the tools
-          export PATH="$GITHUB_WORKSPACE/cache/bin:$PATH"
+          export PATH="$HOME/bin:$PATH"
           ./hack/helpers/install-tools.sh
           # Start buildkit
           bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
diff --git a/.gitignore b/.gitignore
index 8da07fb..22894af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
 .DS_Store
 /.idea
-*/cache/*
-cache
-*trace.json
+cache/
+/xxx-*
diff --git a/Dockerfile.auditor b/Dockerfile.auditor
index 1e16c68..1481f1d 100644
--- a/Dockerfile.auditor
+++ b/Dockerfile.auditor
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-02-20
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-03-01
 
 # XXX a new experimental image meant for auditing shit
 FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME                                                                        AS auditor
@@ -16,7 +16,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
-              apt-get install -y --no-install-recommends \
+              apt-get install -qq --no-install-recommends \
                 curl=7.88.1-10+deb12u5 file=1:5.44-3 binutils=2.40-2 schroot=1.6.13-3+b2 patchelf=0.14.3-1+b1 \
                 procps=2:4.0.2-3 iproute2=6.1.0-3 libcap2-bin=1:2.66-4 \
                 dnsutils=1:9.18.24-1 iputils-ping=3:20221126-1 \
diff --git a/Dockerfile.builder b/Dockerfile.builder
index 125249a..12d2dbe 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-02-20
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-03-01
 
 #######################
 # Actual "builder" image
@@ -35,7 +35,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 dpkg --add-architecture "$architecture"; \
               done; \
               apt-get update -qq; \
-              apt-get install -y --no-install-recommends \
+              apt-get install -qq --no-install-recommends \
                 build-essential=12.9 \
                 autoconf=2.71-3 \
                 automake=1:1.16.5-1.3 \
@@ -46,7 +46,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
                 ca-certificates=20230311 \
                 git=1:2.39.2-1.1; \
               for architecture in arm64 amd64; do \
-                apt-get install -y --no-install-recommends \
+                apt-get install -qq --no-install-recommends \
                   crossbuild-essential-"$architecture"=12.9 \
                   musl-dev:"$architecture"=1.2.3-1 \
                   musl:"$architecture"=1.2.3-1 \
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index 2b2e465..c3a75f0 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -1,5 +1,5 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-02-20
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-03-01
 
 #######################
 # Downloader is here only to retrieve and validate upstream tarballs
@@ -52,7 +52,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
-              apt-get install -y --no-install-recommends \
+              apt-get install -qq --no-install-recommends \
                 curl=7.88.1-10+deb12u5 \
                 gnupg=2.2.40-1.1 \
                 dirmngr=2.2.40-1.1 \
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
index 4e88eaf..70dfc66 100644
--- a/Dockerfile.runtime
+++ b/Dockerfile.runtime
@@ -1,6 +1,6 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
-ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-02-20
-ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-02-20
+ARG           FROM_IMAGE_RUNTIME=debian:bookworm-2024-03-01
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-2024-03-01
 
 #######################
 # Overlay
diff --git a/README.md b/README.md
index 518732a..3ce7ea6 100644
--- a/README.md
+++ b/README.md
@@ -5,14 +5,14 @@ Provides base images (builder, auditor, golang, node, runtime) used by all our i
 Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
 
 * `docker.io/dubodubonduponey/base:runtime-latest` and `docker.io/dubodubonduponey/base:runtime-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
+  * based on our debootstrapped version of Debian Bookworm (currently `DATE=2024-03-01`)
   * labels
   * ca-certificates copied over
   * ONBUILD instructions to copy over runtime folders
   * user creation
   * entrypoint definition
 * `docker.io/dubodubonduponey/base:builder-latest` and `docker.io/dubodubonduponey/base:builder-$SUITE-$DATE`
-  * based on our debootstrapped version of Debian Bullseye (currently `DATE=2021-11-01`)
+  * based on our debootstrapped version of Debian Bookworm (currently `DATE=2024-03-01`)
   * golang, python, and essential cross compilation dev & build tools
 * `docker.io/dubodubonduponey/base:node-latest` and `docker.io/dubodubonduponey/base:node-$SUITE-$DATE`
   * +nodejs +yarnpkg
diff --git a/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue b/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue
index 7a74ef0..e91385a 100644
--- a/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue
+++ b/cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue
@@ -72,7 +72,7 @@ import (
 
 		["--local", "dockerfile=\(dockerfile)"] +
 		["--frontend", frontend] +
-		["--trace", "buildctl.trace.json"] +
+		["--trace", "cache/buildctl.trace.json"] +
 		["--opt", "filename=\(filename)"] +
 
 		["--local", "context=\(context)"] +
diff --git a/cue.mod/pkg/duponey.cloud/scullery/icing.cue b/cue.mod/pkg/duponey.cloud/scullery/icing.cue
index 6fbfcb2..fe17b30 100644
--- a/cue.mod/pkg/duponey.cloud/scullery/icing.cue
+++ b/cue.mod/pkg/duponey.cloud/scullery/icing.cue
@@ -64,7 +64,7 @@ import (
 #Icing: {
 	// XXX make this type more specific
 	buildkit?: {
-		address?: string | * "docker-container://buildkitd"
+		address?: string | * "docker-container://dbdbdp-buildkit"
 		name?: string
 		ca?: types.#Path
 		cert?: types.#Path
diff --git a/hack/build.sh b/hack/build.sh
index 26f7246..0133f44 100755
--- a/hack/build.sh
+++ b/hack/build.sh
@@ -6,7 +6,9 @@ root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
 readonly root
 
 # shellcheck source=/dev/null
-BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" source "$root/hack/helpers/install-tools.sh"
+BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" . "$root/hack/helpers/install-tools.sh"
+
+rm -f "$root/cache/buildctl.trace.json"
 
 # Build the cue invocation
 params=(cue)
@@ -22,7 +24,7 @@ case "${1:-}" in
   *)
     cd "$root"
     target=image
-    files=("$root/hack/recipe.cue" "$root/hack/cue_tool.cue")
+    files=("$root/hack/recipe.cue" "$root/hack/helpers/cue_tool.cue")
     isparam=
     for i in "$@"; do
       if [ "${i:0:2}" == "--" ]; then
diff --git a/hack/cue_tool.cue b/hack/helpers/cue_tool.cue
similarity index 100%
rename from hack/cue_tool.cue
rename to hack/helpers/cue_tool.cue
diff --git a/hack/helpers/install-tools.sh b/hack/helpers/install-tools.sh
index 8be862c..708f8ab 100755
--- a/hack/helpers/install-tools.sh
+++ b/hack/helpers/install-tools.sh
@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-export SUITE=bullseye
-export DATE=2021-08-01
+export SUITE=bookworm
+export DATE=2024-03-01
 
 export BIN_LOCATION="${BIN_LOCATION:-$HOME/bin}"
 export PATH="$BIN_LOCATION:$PATH"
 readonly IMAGE_TOOLS="${IMAGE_TOOLS:-dubodubonduponey/tools:$(uname -s | grep -q Darwin && printf "macos" || printf "linux-dev")-$SUITE-$DATE}"
 
-export SHELLCHECK_VERSION=0.7.2
-export HADOLINT_VERSION=2.7.0
+export SHELLCHECK_VERSION=0.10.0
+export HADOLINT_VERSION=2.12.0
 
 setup::tools(){
   local location="$1"
diff --git a/hack/helpers/start-buildkit.sh b/hack/helpers/start-buildkit.sh
index 80702fa..b1b98b3 100755
--- a/hack/helpers/start-buildkit.sh
+++ b/hack/helpers/start-buildkit.sh
@@ -1,10 +1,8 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-export SUITE=bullseye
-export DATE=2021-08-01
-
-readonly IMAGE_BLDKT="${IMAGE_BLDKT:-docker.io/dubodubonduponey/buildkit:$SUITE-$DATE}"
+export TAG=latest
+readonly IMAGE_BLDKT="${IMAGE_BLDKT:-docker.io/dubodubonduponey/buildkit:$TAG}"
 
 setup::buildkit() {
   [ "$(docker container inspect -f '{{.State.Running}}' dbdbdp-buildkit 2>/dev/null)" == "true" ]  || {
@@ -12,14 +10,15 @@ setup::buildkit() {
       -p 4242:4242 \
       --network host \
       --name dbdbdp-buildkit \
-      --env MDNS_ENABLED=true \
-      --env MDNS_HOST=buildkit-machina \
-      --env MDNS_NAME="Dubo Buildkit on la machina" \
+      --env MOD_MDNS_ENABLED=true \
+      --env MOD_MDNS_HOST=buildkit-machina \
+      --env MOD_MDNS_NAME="Dubo Buildkit on la machina" \
       --entrypoint buildkitd \
       --user root \
       --privileged \
       "$IMAGE_BLDKT"
     docker exec --env QEMU_BINARY_PATH=/boot/bin/ dbdbdp-buildkit binfmt --install all
+    docker exec dbdbdp-buildkit mkdir /tmp/runtime
   }
 }
 
diff --git a/hack/lint.sh b/hack/lint.sh
index e39dd2d..127b850 100755
--- a/hack/lint.sh
+++ b/hack/lint.sh
@@ -1,12 +1,11 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-# shellcheck source=/dev/null
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
 readonly root
 
 # shellcheck source=/dev/null
-BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" source "$root/hack/helpers/install-tools.sh"
+BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" . "$root/hack/helpers/install-tools.sh"
 
 # Ignore some hadolint warnings that do not make much sense
 # DL3006 is about "dO nOT UsE --platform", which is really ludicrous
@@ -24,4 +23,6 @@ if ! hadolint "${hadolint_ignore[@]}" "$root"/*Dockerfile*; then
   exit 1
 fi
 
-find "$root" -iname "*.sh" -not -path "*debuerreotype*" -not -path "*cache*" -exec shellcheck {} \;
+while read -r line; do
+  shellcheck "$line"
+done < <(find "$root" -iname "*.sh" -not -path "*debuerreotype*" -not -path "*cache*" -not -path "*xxx*" 2>/dev/null || true)
diff --git a/hack/test.sh b/hack/test.sh
index 237227d..f94c3cc 100755
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -9,8 +9,8 @@ readonly root
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2022-12-01 \
-	  --inject suite=bullseye \
+	  --inject date=2024-03-01 \
+	  --inject suite=bookworm \
     --inject platforms=linux/amd64,linux/arm64 \
   	overlay "$@"; then
   printf >&2 "Failed building overlay\n"
@@ -20,8 +20,8 @@ fi
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2022-12-01 \
-	  --inject suite=bullseye \
+	  --inject date=2024-03-01 \
+	  --inject suite=bookworm \
     --inject platforms=linux/amd64,linux/arm64 \
   	runtime "$@"; then
   printf >&2 "Failed building runtime image\n"

From 2c1cb364fddddc1ff2d10eb4ee922b95f1ec6ff7 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sun, 17 Mar 2024 10:21:03 -0700
Subject: [PATCH 50/51] Cleanup

---
 Dockerfile.builder            |  8 +++-----
 Dockerfile.downloader         | 35 +++++------------------------------
 README.md                     |  4 ++--
 context/scripts/entrypoint.sh |  5 +++--
 4 files changed, 13 insertions(+), 39 deletions(-)

diff --git a/Dockerfile.builder b/Dockerfile.builder
index 12d2dbe..dd198f2 100644
--- a/Dockerfile.builder
+++ b/Dockerfile.builder
@@ -66,8 +66,7 @@ RUN           git config --global advice.detachedHead false
 # Now replaced with proper ca-certificates install (which does pull in openssl <- not a problem for build, but keeping the lightweight deviation for runtime)
 # ADD           ./cache/overlay.tar /
 
-#ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.21.7
+ENV           GOLANG_VERSION=1.21.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
@@ -152,7 +151,7 @@ ARG           TARGETPLATFORM
 
 # Add node
 ENV           NODE_VERSION=20.11.1
-ENV           YARN_VERSION=1.22.21
+ENV           YARN_VERSION=1.22.22
 
 ADD           ./cache/$TARGETPLATFORM/node-$NODE_VERSION.tar.gz /opt
 ADD           ./cache/$TARGETPLATFORM/yarn-$YARN_VERSION.tar.gz /opt
@@ -210,8 +209,7 @@ ENV           GOPATH=/build/golang-current/source
 ENV           GOROOT=/build/golang-current/go
 ENV           PATH=$GOPATH/bin:$GOROOT/bin:$PATH
 
-#ENV           GOLANG_VERSION 1.17.13
-ENV           GOLANG_VERSION=1.21.7
+ENV           GOLANG_VERSION=1.21.8
 
 ADD           ./cache/$TARGETPLATFORM/golang-$GOLANG_VERSION.tar.gz /build/golang-current
 
diff --git a/Dockerfile.downloader b/Dockerfile.downloader
index c3a75f0..55838f0 100644
--- a/Dockerfile.downloader
+++ b/Dockerfile.downloader
@@ -9,37 +9,12 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_BUILDER
 ARG           BUILD_CREATED="1976-04-14T17:00:00-07:00"
 
 ENV           NODE_VERSION=20.11.1
-ENV           YARN_VERSION=1.22.21
+ENV           YARN_VERSION=1.22.22
 
-#ENV           GOLANG_VERSION 1.17.13
-#ENV           GOLANG_LINUX_AMD64_SHA512 672ce66bd7f1400b66d367f1026f3d7062201a8d686b4c1813ccade597ebbe89f9bd98130badd1d7bc6f2cf4020d63a4e71323b44a96fad842d5766ca92aa822
-#ENV           GOLANG_LINUX_ARM64_SHA512 8f70e89f7dbffe0d4892460a7508b8acd5830999150732388bf69a49e2120cadabe3b4ce641cfe805d4bf871d6e374ad2398fb029f55361607e0eba1c7ea62a4
-#ENV           GOLANG_LINUX_ARM_V7_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
-#ENV           GOLANG_LINUX_ARM_V6_SHA512 5fb56d05e0fe31a4253c4972e158c3c643af387795db68861445822cea24a657a35ddb8d9f0aacd7624d7f6f9d8f7d721b6df9be9862eab3c851cc30751e7f46
-#ENV           GOLANG_LINUX_386_SHA512 0449a2b27d75d654fd214776ae3025d098f55d93a7b0ce07325864f1637d7ae4c8eca782578b6edbd05536e031339ee2bb466f82cbe5d29506033ea9f1aed167
-#ENV           GOLANG_LINUX_S390X_SHA512 7f9b5e42dc1ac2993a8acab3ed625b0190c6c6300231c520852fb56ceb7f828ea9e1dbefca4230ec2aa290b36b61db48f764d4eafe39b79f2f570c4c62f6bb50
-#ENV           GOLANG_LINUX_PPC64LE_SHA512 f259e4304afa85ce638c3c238cddce0dc6a78c2024e715a35c09ba6d0e71e6c4dd24937b84038f76c299aaa1f95be13d7d77513c5dfcb583ed87d4bdeec2114a
-
-#ENV           GOLANG_VERSION 1.18.10
-#ENV           GOLANG_LINUX_AMD64_SHA512 2f1986ae1a95f1e2e735abdf2240770210482215c03293322ce9d3cb7b5c7b2904943827154d048771b00fa95d9b5e659d8077873dea0352d7d8cca8880ce204
-#ENV           GOLANG_LINUX_ARM64_SHA512 a488de01c7eefa02833d153c79ffed5fd126b6d84418c285fd4577f6dfa235a648eb3bbd160eb53d187db512a13015f9bb9310a32ef2b2141d869155c282b3df
-
-#ENV           GOLANG_LINUX_ARM_V7_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
-#ENV           GOLANG_LINUX_ARM_V6_SHA512 c0c2dd514cd7eaba67c6236543ba2399b8f85ab0828cc2b62dff4936d1266339a643f7606c2b914cd8cf93360a500865ae18f42c87140f2c201cc7136f032337
-#ENV           GOLANG_LINUX_386_SHA512 7ad352c874bdc931dea7bd99a34762f5d96bfd63e08cb4ff74a2db19c4ad0cb3bced57c97f683a6bd9a737aaee0ffe1d74f39b0cf81897b89e8dae1187acb634
-#ENV           GOLANG_LINUX_S390X_SHA512 1919eda41493a86d6e70ccd98102d767a68621363c2d178fb329e4fedc5de0094acf2e19fa56cb4e288085bdef1cf932cf836a609837e10f50384e716e899c2f
-#ENV           GOLANG_LINUX_PPC64LE_SHA512 4017fe35e57af3354f8576ac9b450da7df54773979d2de74baf6ea61375d196ffa84c17074e53ea63510cc75b3401d6c71d51b5b3eafb9aee7828fafa1d7b9cb
-
-#14 3.760 ENV           GOLANG_VERSION 1.19.1
-#14 5.791 ENV           GOLANG_LINUX_AMD64_SHA512 a69153393a2eaf1c2b77f5a4bafe6a2fb36368c6856d79bd697472af71d925fc62c58e6b8fe75adf143b0462da2ed9e68d0fcd0328cde091be70d745b92814aa
-#14 7.555 ENV           GOLANG_LINUX_ARM64_SHA512 c7ad05c39e2890b57a6ba05521347c58fa5fd325d8f1aa3058da4ccf0ea7e9ea910fddae1789f24f48b39188ce8ff025d31778c79c977040785c6a641dde8ee3
-#14 9.211 ENV           GOLANG_LINUX_ARM_V7_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
-#14 10.77 ENV           GOLANG_LINUX_ARM_V6_SHA512 8747e9473495622f93ec735557eaaac3200817406b2f087bd46989df576806900314a5352443f16a686b2b5fcd8fc313403decbed04c2eca6cd89a80786ea644
-
-ENV           GOLANG_VERSION 1.21.7
-ENV           GOLANG_LINUX_AMD64_SHA512 c3a4ec79e01d437b094df5043cda6af593f3f303aa48d56aa10beeb1bc22bf568009fbd56da9d078cf044bfcd723a1626c7b9e5f771a3de38b0ce6df21b6b1b6
-ENV           GOLANG_LINUX_ARM64_SHA512 13610e247d44644f02625cd5e98a2aef6eb98268710d593a1eb065b89f0418164b6b0040a297b86df862870ac34492905a07911c4b41570d6e7637e515c2bcc8
-ENV           GOLANG_LINUX_ARM_V7_SHA512 8a57f9a60ff761c7bae70ab8d3d3f2f398f8a24a2c3509c28cc513e58fd406971a7edb1d619c58468a9f2a59ad2b3ba7ccf82915783f54e83547863631ec6912
+ENV           GOLANG_VERSION 1.21.8
+ENV           GOLANG_LINUX_AMD64_SHA512 c22d4623dede427057852ef939e593f6ed86b2a873f1cf7cc76bf52713df1e9df5c6dfde98a3185c633eb51a382118d4fc59dd29fd42a6c15123f93cbb0442ea
+ENV           GOLANG_LINUX_ARM64_SHA512 847bc80817d1e55f39d03a18259826167ef7fda50596427266015c30555f07d2cc799bf1ccca0ed5d3d5126b3c23fa23c1f7e7fb29990206b00407e79140f25f
+ENV           GOLANG_LINUX_ARM_V7_SHA512 b3c2ae224c3f3c2c555fb618a7921188fdf024f33cc7199ec956a9827af6c663b7ada6ef226eb82646dcbdd01e772f3c72569d6560912528c27dbbedb51d3bc7
 
 ENV           FAIL_WHEN_OUTDATED=true
 
diff --git a/README.md b/README.md
index 3ce7ea6..da51126 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 Provides base images (builder, auditor, golang, node, runtime) used by all our images.
 
-Currently, on linux amd64, 386, arm64, arm/v7, arm/v6, s390x, ppc64le:
+Currently, on linux amd64, arm64:
 
 * `docker.io/dubodubonduponey/base:runtime-latest` and `docker.io/dubodubonduponey/base:runtime-$SUITE-$DATE`
   * based on our debootstrapped version of Debian Bookworm (currently `DATE=2024-03-01`)
@@ -55,7 +55,7 @@ You can control additional aspects of the build passing arguments:
 ```bash
 # Control base image, target platforms, and cache
 ./hack/build.sh runtime \
-  --inject platforms="linux/arm/v6" \
+  --inject platforms="linux/arm64" \
   --inject registry="private.registry/yourname"
 ```
 
diff --git a/context/scripts/entrypoint.sh b/context/scripts/entrypoint.sh
index 06dee4e..29b738b 100755
--- a/context/scripts/entrypoint.sh
+++ b/context/scripts/entrypoint.sh
@@ -19,7 +19,7 @@ init::golang(){
 }
 
 platforms::golang() {
-  printf "linux/amd64 linux/arm64 linux/arm/v7"
+  printf "linux/amd64 linux/arm64" # linux/arm/v7"
   # linux/arm/v6 linux/386 linux/ppc64le linux/s390x"
 }
 
@@ -208,7 +208,8 @@ init::yarn() {
 }
 
 platforms::yarn() {
-  printf "linux/amd64 linux/arm64 linux/arm/v7"
+  printf "linux/amd64 linux/arm64
+  # linux/arm/v7"
   # linux/arm/v6 linux/ppc64le linux/s390x"
 }
 

From 04daa3e961f889979c771a888ba1688bd4a48206 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Sun, 17 Mar 2024 16:28:21 -0700
Subject: [PATCH 51/51] CI

---
 .github/workflows/CI.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index c069344..52789ff 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -28,6 +28,8 @@ jobs:
           sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
           sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
           sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
+          sudo chmod g+w "$GITHUB_WORKSPACE/cache"
+          sudo chown $(id -u) "$GITHUB_WORKSPACE/cache"
 
       - name: Start apt proxy
         run: |