diff --git a/iso/builder/VERSIONS b/iso/builder/VERSIONS index 0ed59b7..a73e645 100644 --- a/iso/builder/VERSIONS +++ b/iso/builder/VERSIONS @@ -1,7 +1,8 @@ DEBIAN_VERSION=12 DEBIAN_KERNEL_ABI=6.1.0-43 NVIDIA_DRIVER_VERSION=590.48.01 -NCCL_VERSION=2.26.2-1 -NCCL_CUDA_VERSION=12.8 +NCCL_VERSION=2.28.9-1 +NCCL_CUDA_VERSION=13.0 +NCCL_SHA256=2e6faafd2c19cffc7738d9283976a3200ea9db9895907f337f0c7e5a25563186 GO_VERSION=1.24.0 AUDIT_VERSION=1.0.0 diff --git a/iso/builder/build-nccl.sh b/iso/builder/build-nccl.sh index 61751ce..62bb161 100755 --- a/iso/builder/build-nccl.sh +++ b/iso/builder/build-nccl.sh @@ -2,8 +2,7 @@ # build-nccl.sh — download and extract NCCL shared library for the LiveCD. # # Downloads libnccl2 .deb from NVIDIA's CUDA apt repository (Debian 12, x86_64) -# and extracts the shared library. Transport security via HTTPS; package integrity -# verified by sha256 from NVIDIA's Packages index. +# and extracts the shared library. Package integrity verified via sha256. # # Output is cached in DIST_DIR/nccl-+cuda/ so subsequent builds # are instant unless NCCL_VERSION or NCCL_CUDA_VERSION changes. @@ -16,10 +15,11 @@ set -e NCCL_VERSION="$1" NCCL_CUDA_VERSION="$2" DIST_DIR="$3" +EXPECTED_SHA256="$4" -[ -n "$NCCL_VERSION" ] || { echo "usage: $0 "; exit 1; } -[ -n "$NCCL_CUDA_VERSION" ] || { echo "usage: $0 "; exit 1; } -[ -n "$DIST_DIR" ] || { echo "usage: $0 "; exit 1; } +[ -n "$NCCL_VERSION" ] || { echo "usage: $0 [sha256]"; exit 1; } +[ -n "$NCCL_CUDA_VERSION" ] || { echo "usage: $0 [sha256]"; exit 1; } +[ -n "$DIST_DIR" ] || { echo "usage: $0 [sha256]"; exit 1; } echo "=== NCCL ${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION} ===" @@ -45,6 +45,19 @@ echo "=== downloading NCCL package ===" echo "URL: ${PKG_URL}" wget --show-progress -O "$DEB_FILE" "$PKG_URL" +if [ -n "$EXPECTED_SHA256" ]; then + echo "=== verifying sha256 ===" + ACTUAL_SHA256=$(sha256sum "$DEB_FILE" | awk '{print $1}') + if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then + echo "ERROR: sha256 mismatch" + echo " expected: $EXPECTED_SHA256" + echo " actual: $ACTUAL_SHA256" + rm -f "$DEB_FILE" + exit 1 + fi + echo "sha256 OK" +fi + echo "=== extracting NCCL libraries ===" EXTRACT_TMP=$(mktemp -d) trap 'rm -rf "$EXTRACT_TMP"' EXIT INT TERM diff --git a/iso/builder/build.sh b/iso/builder/build.sh index a8efd0a..76da104 100755 --- a/iso/builder/build.sh +++ b/iso/builder/build.sh @@ -189,7 +189,7 @@ fi # --- build / download NCCL --- echo "" echo "=== downloading NCCL ${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION} ===" -sh "${BUILDER_DIR}/build-nccl.sh" "${NCCL_VERSION}" "${NCCL_CUDA_VERSION}" "${DIST_DIR}" +sh "${BUILDER_DIR}/build-nccl.sh" "${NCCL_VERSION}" "${NCCL_CUDA_VERSION}" "${DIST_DIR}" "${NCCL_SHA256:-}" NCCL_CACHE="${DIST_DIR}/nccl-${NCCL_VERSION}+cuda${NCCL_CUDA_VERSION}"