Skip to content

chore: Update BSL license to 6-year conversion (Jan 2032) #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mikejmorgan-ai merged 9 commits into from
Jan 18, 2026
Merged

chore: Update BSL license to 6-year conversion (Jan 2032) #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9d00ed2
chore: Update BSL license to 6-year conversion (Jan 2032)
Jan 16, 2026
74b6496
fix: Add build-essential to workflow dependencies
Jan 16, 2026
96c473e
fix: Remove redundant debian/compat files
Jan 17, 2026
4fa97ac
fix: Update live-build config for Ubuntu 24.04 compatibility
Jan 17, 2026
ff4d1c2
fix: Disable security/backports repos for Trixie (testing)
Jan 17, 2026
2f2b21b
fix: Add gnupg to debootstrap includes for apt signature verification
Jan 18, 2026
ed18d9b
fix: Switch to bookworm (stable) for reliable GPG support
Jan 18, 2026
a3c4fbc
fix: Remove invalid live-build options for bookworm
Jan 18, 2026
3d59f26
fix: Skip package bundling to resolve permission issues
Jan 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 90 additions & 79 deletions .github/workflows/build-iso.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,25 +12,17 @@ on:
paths:
- 'iso/**'
- 'packages/**'
- 'scripts/**'
- 'Makefile'
- '.github/workflows/build-iso.yml'
pull_request:
branches: [main]
paths:
- 'iso/**'
- 'packages/**'
- 'scripts/**'
- 'Makefile'
workflow_dispatch:
inputs:
iso_type:
description: 'ISO type to build'
required: true
default: 'offline'
type: choice
options:
- netinst
- offline
- both

env:
DEBIAN_FRONTEND: noninteractive
Expand All @@ -43,36 +35,34 @@ jobs:
- name: Checkout
uses: actions/checkout@v4

- name: Install build dependencies
- name: Build packages in Debian container
run: |
sudo apt-get update
sudo apt-get install -y \
dpkg-dev \
devscripts \
debhelper \
fakeroot \
gnupg

- name: Build cortex-archive-keyring
run: |
cd packages/cortex-archive-keyring
dpkg-buildpackage -us -uc -b

- name: Build cortex-core
run: |
cd packages/cortex-core
dpkg-buildpackage -us -uc -b

- name: Build cortex-full
run: |
cd packages/cortex-full
dpkg-buildpackage -us -uc -b
docker run --rm \
-v "${{ github.workspace }}:/workspace" \
-w /workspace \
-e DEBIAN_FRONTEND=noninteractive \
debian:bookworm /bin/bash -c '
set -e
apt-get update
apt-get install -y build-essential dpkg-dev devscripts debhelper fakeroot gnupg

for pkg in cortex-archive-keyring cortex-core cortex-full; do
echo "Building $pkg..."
cd /workspace/packages/$pkg
dpkg-buildpackage -us -uc -b
cd /workspace
done

mkdir -p /workspace/output/packages
mv /workspace/packages/*.deb /workspace/output/packages/ 2>/dev/null || true
ls -la /workspace/output/packages/
'

- name: Upload packages
uses: actions/upload-artifact@v4
with:
name: debian-packages
path: packages/*.deb
path: output/packages/*.deb
retention-days: 7

build-iso:
Expand All @@ -82,8 +72,18 @@ jobs:
strategy:
matrix:
arch: [amd64]
# arm64 builds require self-hosted runner with ARM
steps:
- name: Free disk space
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: false
swap-storage: true
Comment on lines +76 to +85
Copy link

@coderabbitai coderabbitai bot Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/build-iso.yml | sed -n '70,90p'

Repository: cortexlinux/cortex-distro

Length of output: 697

🌐 Web query:

GitHub Actions version pinning commit SHA best practices supply chain security

💡 Result:

Short best-practices for pinning GitHub Actions to commit SHAs (supply‑chain security):

  1. Pin to a full-length commit SHA (not @main/@tag) so the action code is immutable for your workflow. Verify the SHA originates from the action’s official repo (not a fork). [1][4]

  2. Prefer SHAs that correspond to official tagged releases (and comment the tag/version in the workflow) so Dependabot can recommend updates while retaining immutability. [1]

  3. Audit the action’s source for mutable dependencies (unpinned container images, scripts that download code at runtime, composite actions that pull external code) — pinning SHA does not help if the action itself fetches mutable artifacts. Reject “unpinnable” actions. [1][2][4]

  4. Enforce SHA pinning and blocklists at org/enterprise level (Allowed actions & reusable workflows policy) so non-pinned or known-malicious actions fail policy checks. Use explicit block entries for compromised actions. [1][3][4]

  5. Use Dependabot (or similar) to surface outdated/vulnerable actions, but note Dependabot alerts behave differently for SHA-pinned dependencies — prefer SHAs tied to tags to keep update signals. [1]

  6. Minimize risk via least-privilege: narrow GITHUB_TOKEN permissions, require environment approvals for prod workflows, and rotate/separate secrets accessible to Actions. Monitor for exfiltration patterns. [1][4]

  7. Add operational controls: workflow review/PR gating, automated checks (e.g., “ensure SHA pinned” linter/action), CI audits of used actions, and alerting for new external references. [3]

  8. When available, prefer vendor-provided “immutable releases” (GitHub immutable releases / verified creators) so you can safely pin to semantic versions instead of raw SHAs. Still verify provenance. [1][5]

Trade-offs / notes:

  • SHAs maximize integrity but cost maintainability (manual updates). Tag+SHA comment is a practical compromise to get Dependabot help. [1]
  • SHA pinning can’t fully protect if the action downloads mutable artifacts at runtime — inspect runtime behavior. [2]
  • Enforce org policies and monitoring to respond quickly if a widely-used action is compromised. [3]

Sources: GitHub Well‑Architected / Actions security guidance; GitHub Docs (secure use & allowed actions); GitHub changelog on SHA enforcement; industry analysis of “unpinnable” actions; marketplace/tools for enforcing SHA pinning. [1][4][3][2][3]

Pin jlumbroso/free-disk-space to a commit SHA.

Using @main is mutable and weakens supply-chain security. Pin to a trusted commit SHA tied to an official release tag (comment the tag in the workflow) so the action code is immutable and Dependabot can track updates.

🛠️ Proposed fix 
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@<PINNED_SHA>
🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 76 - 85, The workflow step
"Free disk space" currently uses the mutable action reference
jlumbroso/free-disk-space@main; replace the `@main` ref with a specific commit SHA
for that action (e.g. jlumbroso/free-disk-space@<COMMIT_SHA>) so the action is
immutable, and add a comment next to the SHA noting the corresponding release
tag (e.g. // tag: vX.Y.Z) for future tracking; ensure Dependabot configuration
can detect and suggest updates when you change the SHA.


- name: Checkout
uses: actions/checkout@v4

Expand All @@ -93,59 +93,71 @@ jobs:
name: debian-packages
path: packages/

- name: Install live-build dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
live-build \
debootstrap \
squashfs-tools \
xorriso \
isolinux \
syslinux-efi \
grub-pc-bin \
grub-efi-amd64-bin \
mtools \
dosfstools

- name: Configure live-build
run: |
cd iso/live-build
chmod +x auto/*
sudo lb config

- name: Copy packages to chroot
run: |
mkdir -p iso/live-build/config/packages.chroot/
cp packages/*.deb iso/live-build/config/packages.chroot/

- name: Build ISO
run: |
cd iso/live-build
sudo lb build 2>&1 | tee build.log

- name: Generate checksums
- name: Build ISO in Debian container
run: |
cd iso/live-build
sha256sum *.iso > SHA256SUMS
sha512sum *.iso > SHA512SUMS
docker run --rm --privileged \
-v "${{ github.workspace }}:/workspace" \
-w /workspace \
-e ARCH=${{ matrix.arch }} \
-e DEBIAN_FRONTEND=noninteractive \
debian:bookworm /bin/bash -c '
set -e
echo "=== Installing build dependencies ==="
apt-get update
apt-get install -y \
live-build \
debootstrap \
squashfs-tools \
xorriso \
isolinux \
syslinux-efi \
grub-pc-bin \
grub-efi-amd64-bin \
mtools \
dosfstools \
gnupg \
debian-archive-keyring

echo "=== Configuring live-build ==="
cd /workspace/iso/live-build
chmod +x auto/* 2>/dev/null || true
lb config

echo "=== Building ISO (packages will be added post-install) ==="
lb build 2>&1 | tee /workspace/build.log

echo "=== Generating checksums ==="
if ls *.iso 1>/dev/null 2>&1; then
sha256sum *.iso > SHA256SUMS
sha512sum *.iso > SHA512SUMS
mkdir -p /workspace/output
mv *.iso *.sha* /workspace/output/ 2>/dev/null || true
mv SHA256SUMS SHA512SUMS /workspace/output/ 2>/dev/null || true
else
echo "No ISO files generated"
exit 1
fi

echo "=== Output ==="
ls -la /workspace/output/
'

- name: Upload ISO
uses: actions/upload-artifact@v4
with:
name: cortex-linux-${{ matrix.arch }}
path: |
iso/live-build/*.iso
iso/live-build/SHA256SUMS
iso/live-build/SHA512SUMS
output/*.iso
output/SHA256SUMS
output/SHA512SUMS
retention-days: 14

- name: Upload build log
if: always()
uses: actions/upload-artifact@v4
with:
name: build-log-${{ matrix.arch }}
path: iso/live-build/build.log
path: build.log
retention-days: 7

release:
Expand Down Expand Up @@ -177,21 +189,20 @@ jobs:
SHA512SUMS
body: |
## Cortex Linux ${{ github.ref_name }}

### Downloads
- **cortex-linux-*-amd64-offline.iso** - Full offline installer
- **cortex-linux-*-amd64-netinst.iso** - Minimal network installer


### Verification
```bash
sha256sum -c SHA256SUMS
```

### Quick Start
1. Write ISO to USB: `dd if=cortex-linux-*.iso of=/dev/sdX bs=4M status=progress`
2. Boot from USB
3. Follow installation prompts

### Documentation
See https://cortexlinux.com/docs for full documentation.
draft: false
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

**Debian-based Distribution Engineering for Cortex Linux**

[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
[![License](https://img.shields.io/badge/license-BSL%201.1-orange.svg)](LICENSE)
[![Debian](https://img.shields.io/badge/base-Debian%2013%20trixie-A81D33.svg)](https://debian.org)
[![Build](https://img.shields.io/github/actions/workflow/status/cortexlinux/cortex-distro/build-iso.yml?branch=main)](https://github.com/cortexlinux/cortex-distro/actions)

Expand Down Expand Up @@ -231,7 +231,7 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

## License

Apache 2.0 - See [LICENSE](LICENSE)
BSL 1.1 - See [LICENSE](LICENSE)
Copy link

@coderabbitai coderabbitai bot Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's verify the README.md license section
git ls-files | grep -i readme

# Get line 234 of README.md if it exists
if [ -f README.md ]; then
  echo "=== README.md line 234 ===" 
  sed -n '234p' README.md
fi

Repository: cortexlinux/cortex-distro

Length of output: 138

🏁 Script executed:

#!/bin/bash
# Verify repository-wide license consistency

echo "=== Checking for any remaining Apache-2.0 SPDX headers ==="
rg -c "SPDX-License-Identifier:\s*Apache-2\.0" 2>/dev/null || echo "No matches found"

echo -e "\n=== Checking for any remaining Apache references in documentation ==="
rg -c -i "apache\s*2\.0" -t md 2>/dev/null || echo "No markdown files with Apache 2.0 references"

echo -e "\n=== Checking for BUSL-1.1 headers ==="
rg -c "SPDX-License-Identifier:\s*BUSL-1\.1" 2>/dev/null || echo "No BUSL-1.1 headers found"

echo -e "\n=== Checking LICENSE file content ==="
if [ -f LICENSE ]; then
  head -20 LICENSE
else
  echo "No LICENSE file found"
fi

echo -e "\n=== Repository files count by type ==="
find . -type f -name "*.md" | wc -l
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.go" -o -name "*.py" -o -name "*.java" \) | wc -l

Repository: cortexlinux/cortex-distro

Length of output: 1856

License migration incomplete across codebase.

While README.md correctly reflects BSL 1.1 and the LICENSE file is properly configured with BUSL-1.1 terms, 18 source files still retain Apache-2.0 SPDX headers and must be updated to maintain consistency:

  • iso/preseed/cortex.preseed
  • packages/cortex-full/debian/rules
  • packages/cortex-core/cortex-verify.py
  • iso/live-build/auto/config
  • iso/live-build/auto/build
  • packages/cortex-core/cortex-upgrade.py
  • iso/live-build/auto/clean
  • packages/cortex-archive-keyring/debian/rules
  • iso/live-build/config/package-lists/cortex-full.list.chroot
  • packages/cortex-core/cortex-gpu.py
  • iso/live-build/config/package-lists/cortex-core.list.chroot
  • Makefile
  • packages/cortex-core/config/provision.yaml.example
  • iso/live-build/config/hooks/live/0100-cortex-config.hook.chroot
  • packages/cortex-core/config/cortex.yaml
  • packages/cortex-core/config/cortex.sources
  • packages/cortex-core/config/cortex.pref
  • packages/cortex-core/debian/rules

Update all SPDX headers to: SPDX-License-Identifier: BUSL-1.1

🤖 Prompt for AI Agents 
In `@README.md` at line 234, Several source files still carry the old Apache-2.0
SPDX header; search the listed files (e.g., iso/preseed/cortex.preseed,
packages/cortex-core/* (cortex-verify.py, cortex-upgrade.py, cortex-gpu.py,
config/*, debian/rules), packages/cortex-full/debian/rules,
iso/live-build/auto/*, iso/live-build/config/*, Makefile,
packages/cortex-archive-keyring/debian/rules) for the existing SPDX line (e.g.,
"SPDX-License-Identifier: Apache-2.0") and replace it with the exact header
"SPDX-License-Identifier: BUSL-1.1" so all files match the LICENSE and README;
ensure the header formatting/placement is preserved in each file and run a quick
grep to verify no Apache-2.0 SPDX lines remain before committing.


## Support

Expand Down
17 changes: 7 additions & 10 deletions iso/live-build/auto/config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,19 @@
set -e

# Cortex Linux build configuration
CODENAME="trixie"
# Using bookworm (stable) for reliable package availability and GPG support
CODENAME="bookworm"
ARCH="amd64"
VERSION="0.1.0"

# Ubuntu 24.04 compatible live-build options
Copy link

@coderabbitai coderabbitai bot Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix stale Ubuntu reference in comment.

The comment says “Ubuntu 24.04” but the script is configured for Debian bookworm, which can mislead maintainers.

📝 Suggested update 
-# Ubuntu 24.04 compatible live-build options
+# Debian bookworm live-build options
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Ubuntu 24.04 compatible live-build options
# Debian bookworm live-build options
🤖 Prompt for AI Agents 
In `@iso/live-build/auto/config` at line 15, Update the stale comment string "#
Ubuntu 24.04 compatible live-build options" to reflect the actual target distro
(e.g., "Debian Bookworm compatible live-build options" or a neutral "Debian
(bookworm) compatible live-build options") so the top-of-file comment in the
auto/config matches the script's configuration; locate and edit the exact
comment line shown ("# Ubuntu 24.04 compatible live-build options") and replace
the text accordingly.

lb config noauto \
--distribution "${CODENAME}" \
--parent-distribution "${CODENAME}" \
--parent-debian-installer-distribution "${CODENAME}" \
--archive-areas "main contrib non-free non-free-firmware" \
--architectures "${ARCH}" \
--binary-images iso-hybrid \
--bootloaders "grub-efi,syslinux" \
--debian-installer-distribution "${CODENAME}" \
--debian-installer live \
--debian-installer-gui false \
Expand All @@ -28,38 +29,34 @@ lb config noauto \
--iso-volume "Cortex Linux ${VERSION}" \
--memtest none \
--security true \
--updates true \
--backports true \
--apt-indices true \
--apt-recommends true \
--apt-source-archives false \
--cache true \
--cache-indices true \
--cache-packages true \
--cache-stages true \
--checksums sha256 \
--chroot-filesystem squashfs \
--clean \
--color \
--compression xz \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debootstrap-options "--variant=minbase --include=apt-transport-https,ca-certificates,gnupg" \
--firmware-binary true \
--firmware-chroot true \
--hdd-size auto \
--image-name "cortex-linux" \
--initramfs live-boot \
--initramfs-compression xz \
--initsystem systemd \
--interactive false \
--linux-flavours "${ARCH}" \
--linux-packages "linux-image linux-headers" \
--mode debian \
--quiet \
--system live \
--verbose \
--bootappend-live "boot=live components quiet splash locales=en_US.UTF-8 keyboard-layouts=us" \
"${@}"

# Create package lists directory
mkdir -p config/package-lists
echo "apt-transport-https ca-certificates gnupg" > config/package-lists/base.list.chroot

echo "Cortex Linux live-build configured successfully"
2 changes: 1 addition & 1 deletion iso/live-build/config/includes.chroot/usr/lib/cortex/firstboot.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cortex Linux First Boot Provisioning
# Runs on first boot to complete system setup
# Copyright 2025 AI Venture Holdings LLC
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: BUSL-1.1

set -e

Expand Down
1 change: 0 additions & 1 deletion packages/cortex-archive-keyring/debian/compat
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion packages/cortex-core/debian/compat
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion packages/cortex-full/debian/compat
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion packages/cortex-gpu-amd/debian/compat
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion packages/cortex-gpu-nvidia/debian/compat
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion packages/cortex-llm/debian/compat
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion packages/cortex-secops/debian/compat
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion repository/scripts/repo-manage.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cortex Linux APT Repository Management
# Manages package publishing, signing, and snapshots
# Copyright 2025 AI Venture Holdings LLC
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: BUSL-1.1

set -e

Expand Down
2 changes: 1 addition & 1 deletion sbom/generate-sbom.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cortex Linux SBOM Generation
# Generates Software Bill of Materials in CycloneDX and SPDX formats
# Copyright 2025 AI Venture Holdings LLC
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: BUSL-1.1

set -e

Expand Down
2 changes: 1 addition & 1 deletion scripts/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cortex Linux Master Build Script
# One-command ISO build with all dependencies
# Copyright 2025 AI Venture Holdings LLC
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: BUSL-1.1

set -e

Expand Down
2 changes: 1 addition & 1 deletion tests/verify-iso.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cortex Linux ISO Verification Tests
# Validates ISO integrity and bootability
# Copyright 2025 AI Venture Holdings LLC
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: BUSL-1.1

set -e

Expand Down
2 changes: 1 addition & 1 deletion tests/verify-packages.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cortex Linux Package Verification Tests
# Validates Debian package structure and dependencies
# Copyright 2025 AI Venture Holdings LLC
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: BUSL-1.1

set -e

Expand Down
Loading
Loading