From 7c231100ffd8a5c6609cbe6086983f8c6e182d8ffc39fb20a90dbdc929b6823e Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Tue, 28 Oct 2025 15:56:58 +0100
Subject: [PATCH] V8.13.294.2025.10.28

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 config/hooks/live/9999_zzzz.chroot                 |  8 ++++++++
 docs/CHANGELOG.md                                  | 12 ++++++------
 lib/lib_cdi.sh                                     |  2 +-
 lib/lib_lb_config_write_trixie.sh                  | 13 -------------
 scripts/etc/.keep                                  | 10 ++++++++++
 scripts/usr/.keep                                  | 10 ++++++++++
 scripts/usr/lib/.keep                              | 10 ++++++++++
 scripts/usr/lib/live/.keep                         | 10 ++++++++++
 scripts/{ => usr/lib/live/config}/9999-cdi-starter |  0
 9 files changed, 55 insertions(+), 20 deletions(-)
 create mode 100644 scripts/etc/.keep
 create mode 100644 scripts/usr/.keep
 create mode 100644 scripts/usr/lib/.keep
 create mode 100644 scripts/usr/lib/live/.keep
 rename scripts/{ => usr/lib/live/config}/9999-cdi-starter (100%)

diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot
index df89811..8d6cf8f 100644
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -75,6 +75,14 @@ done
 
 rm -f /root/ciss_xdg_tmp.sh
 
+if [[ -d /tmp ]]; then
+
+  find /tmp -mindepth 1 -maxdepth 1 -xdev -exec rm -rf -- {} +
+
+fi
+
+install -d -m 1777 -o root -g root /tmp
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index b4d148a..79c8a1b 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -21,7 +21,7 @@ include_toc: true
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) = unified logging
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) = unified logging
 
 ## V8.13.292.2025.10.27
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
@@ -29,7 +29,7 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
 
 ## V8.13.288.2025.10.24
 * **Added**: Preparations for CISS and PhysNet primordial-workflow™.
@@ -52,7 +52,7 @@ include_toc: true
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
 * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) 
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) 
 
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -83,7 +83,7 @@ include_toc: true
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 
 ## V8.13.142.2025.10.14
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
 
 ## V8.13.132.2025.10.11
 * **Added**: [REPOSITORY.md](../REPOSITORY.md)
@@ -118,7 +118,7 @@ include_toc: true
 * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
 * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
@@ -130,7 +130,7 @@ include_toc: true
 ## V8.13.048.2025.10.06
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
 * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
-* **Updated**: [9000-cdi-starter](../scripts/9999-cdi-starter)
+* **Updated**: [9000-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
 
 ## V8.13.032.2025.10.03
 * **Added**: Internal Gitea Action Runner switch for static SSHFP records.
diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh
index ab272b9..9d5d46c 100644
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -36,7 +36,7 @@ cdi() {
 
     fi
 
-    cp "${VAR_WORKDIR}/scripts/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
+    cp "${VAR_WORKDIR}/scripts/usr/lib/live/config/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
     chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
     chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
 
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index 3399421..bf30e31 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -117,19 +117,6 @@ lb_config_write_trixie() {
   ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
   mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
   cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
-boot/initrd.img-*
-boot/vmlinu[xz]-*
-debootstrap
-debootstrap/*
-root/.wget-hsts
-usr/lib/firmware/amd/*
-usr/lib/firmware/amd-ucode/*
-usr/lib/firmware/amdtee/*
-usr/lib/firmware/intel-ucode/*
-var/cache/apt/pkgcache.bin
-var/cache/apt/srcpkgcache.bin
-var/lib/apt/lists/*
-var/lib/initramfs-tools/*-amd64
 EOF
   chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
 
diff --git a/scripts/etc/.keep b/scripts/etc/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/scripts/etc/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/scripts/usr/.keep b/scripts/usr/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/scripts/usr/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/scripts/usr/lib/.keep b/scripts/usr/lib/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/scripts/usr/lib/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/scripts/usr/lib/live/.keep b/scripts/usr/lib/live/.keep
new file mode 100644
index 0000000..b4349f3
--- /dev/null
+++ b/scripts/usr/lib/live/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
diff --git a/scripts/9999-cdi-starter b/scripts/usr/lib/live/config/9999-cdi-starter
similarity index 100%
rename from scripts/9999-cdi-starter
rename to scripts/usr/lib/live/config/9999-cdi-starter