V8.13.294.2025.10.28

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/9999_zzzz.chroot

@@ -75,6 +75,14 @@ done
 
 rm -f /root/ciss_xdg_tmp.sh
 
+if [[ -d /tmp ]]; then
+
+  find /tmp -mindepth 1 -maxdepth 1 -xdev -exec rm -rf -- {} +
+
+fi
+
+install -d -m 1777 -o root -g root /tmp
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

docs/CHANGELOG.md

@@ -21,7 +21,7 @@ include_toc: true
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) = unified logging
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) = unified logging
 
 ## V8.13.292.2025.10.27
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
@@ -29,7 +29,7 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
 
 ## V8.13.288.2025.10.24
 * **Added**: Preparations for CISS and PhysNet primordial-workflow™.
@@ -52,7 +52,7 @@ include_toc: true
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
 * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) 
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) 
 
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -83,7 +83,7 @@ include_toc: true
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 
 ## V8.13.142.2025.10.14
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
 
 ## V8.13.132.2025.10.11
 * **Added**: [REPOSITORY.md](../REPOSITORY.md)
@@ -118,7 +118,7 @@ include_toc: true
 * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
 * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
-* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
@@ -130,7 +130,7 @@ include_toc: true
 ## V8.13.048.2025.10.06
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
 * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
-* **Updated**: [9000-cdi-starter](../scripts/9999-cdi-starter)
+* **Updated**: [9000-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
 
 ## V8.13.032.2025.10.03
 * **Added**: Internal Gitea Action Runner switch for static SSHFP records.

lib/lib_cdi.sh

@@ -36,7 +36,7 @@ cdi() {
 
     fi
 
-    cp "${VAR_WORKDIR}/scripts/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
+    cp "${VAR_WORKDIR}/scripts/usr/lib/live/config/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
     chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
     chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
 

lib/lib_lb_config_write_trixie.sh

@@ -117,19 +117,6 @@ lb_config_write_trixie() {
   ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
   mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
   cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
-boot/initrd.img-*
-boot/vmlinu[xz]-*
-debootstrap
-debootstrap/*
-root/.wget-hsts
-usr/lib/firmware/amd/*
-usr/lib/firmware/amd-ucode/*
-usr/lib/firmware/amdtee/*
-usr/lib/firmware/intel-ucode/*
-var/cache/apt/pkgcache.bin
-var/cache/apt/srcpkgcache.bin
-var/lib/apt/lists/*
-var/lib/initramfs-tools/*-amd64
 EOF
   chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
 

scripts/etc/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

scripts/usr/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

scripts/usr/lib/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

scripts/usr/lib/live/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu