From 6060337596795d23683788a83bf862c6cc4af54b Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 12:53:15 -0600
Subject: [PATCH 1/7] hotfix: extend llvm sha-1 deadline by a month

---
 containers/debian/Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index 370098e9..5f60ee6c 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -74,6 +74,13 @@ apt-get -yqq autoremove
 localedef -i en_US -f UTF-8 en_US.UTF-8
 EOF
 
+# Override SHA-1 second pre-image resistance deadline
+## FIXME Remove when LLVM has fixed their signature
+COPY /etc/crypto-policies/back-ends/sequoia.config << EOF
+[hash_algorithms]
+sha1 = 2026-03-01
+EOF
+
 # Install updated compilers, with support for multiple base images
 ## Ubuntu: latest gcc from toolchain ppa, latest stable clang
 ## Debian: default gcc with distribution, latest stable clang

From 2271bd7935661e84543a438c1429d5e6f7a953e9 Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 12:55:49 -0600
Subject: [PATCH 2/7] fix: heredoc -> no space here, doc!

---
 containers/debian/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index 5f60ee6c..418097b5 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -76,7 +76,7 @@ EOF
 
 # Override SHA-1 second pre-image resistance deadline
 ## FIXME Remove when LLVM has fixed their signature
-COPY /etc/crypto-policies/back-ends/sequoia.config << EOF
+COPY /etc/crypto-policies/back-ends/sequoia.config <<EOF
 [hash_algorithms]
 sha1 = 2026-03-01
 EOF

From 54378e55247a1ba012d9ef0920fb6106fea924f9 Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 12:58:17 -0600
Subject: [PATCH 3/7] fix: from heredoc to theredoc

---
 containers/debian/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index 418097b5..1240736a 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -76,7 +76,7 @@ EOF
 
 # Override SHA-1 second pre-image resistance deadline
 ## FIXME Remove when LLVM has fixed their signature
-COPY /etc/crypto-policies/back-ends/sequoia.config <<EOF
+COPY <<EOF /etc/crypto-policies/back-ends/sequoia.config
 [hash_algorithms]
 sha1 = 2026-03-01
 EOF

From 46b9dca155c1b4819b884136857f515f61e4ce90 Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 13:08:28 -0600
Subject: [PATCH 4/7] fix: unstable is now forky

---
 containers/debian/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index 1240736a..abf46334 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -108,7 +108,7 @@ case ${ID} in
 esac
 # Clang repository
 curl -s https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
-if [ ${VERSION_CODENAME} = trixie ] ; then
+if [ ${VERSION_CODENAME} = forky ] ; then
   echo "deb http://apt.llvm.org/unstable llvm-toolchain${CLANG} main" > /etc/apt/sources.list.d/llvm.list
 else
   echo "deb http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME}${CLANG} main" > /etc/apt/sources.list.d/llvm.list

From 40732403245e7df5d620f0904ee5dbd3ee768194 Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 13:08:54 -0600
Subject: [PATCH 5/7] fix: add explicit signed-by

---
 containers/debian/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index abf46334..b43ca95f 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -109,9 +109,9 @@ esac
 # Clang repository
 curl -s https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
 if [ ${VERSION_CODENAME} = forky ] ; then
-  echo "deb http://apt.llvm.org/unstable llvm-toolchain${CLANG} main" > /etc/apt/sources.list.d/llvm.list
+  echo "deb [signed_by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/unstable llvm-toolchain${CLANG} main" > /etc/apt/sources.list.d/llvm.list
 else
-  echo "deb http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME}${CLANG} main" > /etc/apt/sources.list.d/llvm.list
+  echo "deb [signed_by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME}${CLANG} main" > /etc/apt/sources.list.d/llvm.list
 fi
 # Install packages
 apt-get -yqq update

From ee1e2d1bcc6cfae9d0817da7ae82eb74fe36319e Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 13:19:49 -0600
Subject: [PATCH 6/7] fix: signed_by -> signed-by

---
 containers/debian/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index b43ca95f..7289fd2b 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -109,9 +109,9 @@ esac
 # Clang repository
 curl -s https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
 if [ ${VERSION_CODENAME} = forky ] ; then
-  echo "deb [signed_by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/unstable llvm-toolchain${CLANG} main" > /etc/apt/sources.list.d/llvm.list
+  echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/unstable llvm-toolchain${CLANG} main" > /etc/apt/sources.list.d/llvm.list
 else
-  echo "deb [signed_by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME}${CLANG} main" > /etc/apt/sources.list.d/llvm.list
+  echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME}${CLANG} main" > /etc/apt/sources.list.d/llvm.list
 fi
 # Install packages
 apt-get -yqq update

From 14dd78a449942fadabf95e80284f33981ed9519b Mon Sep 17 00:00:00 2001
From: Wouter Deconinck <wdconinc@gmail.com>
Date: Tue, 3 Feb 2026 13:31:59 -0600
Subject: [PATCH 7/7] fix: back to unstable for trixie

---
 containers/debian/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/containers/debian/Dockerfile b/containers/debian/Dockerfile
index 7289fd2b..5f8a876e 100644
--- a/containers/debian/Dockerfile
+++ b/containers/debian/Dockerfile
@@ -108,7 +108,7 @@ case ${ID} in
 esac
 # Clang repository
 curl -s https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
-if [ ${VERSION_CODENAME} = forky ] ; then
+if [ ${VERSION_CODENAME} = trixie ] ; then
   echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/unstable llvm-toolchain${CLANG} main" > /etc/apt/sources.list.d/llvm.list
 else
   echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME}${CLANG} main" > /etc/apt/sources.list.d/llvm.list