devenv: Explicitly install ca-certificates before curl

[henrywang]

The Debian sid base image may not include ca-certificates, and curl only Recommends (not Depends on) it. This causes curl to fail with SSL trust anchor errors when fetching the GitHub CLI keyring.

Assisted-by: Claude Code (Opus 4.6)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue in the Debian sid base image where curl operations failed due to missing SSL trust anchors. By ensuring the ca-certificates package is installed early in the container build process, the environment is properly configured for secure network communication, resolving errors encountered when fetching external resources like the GitHub CLI keyring.

Highlights

• Dependency Management: Explicitly added ca-certificates to the initial package installation in devenv/Containerfile.debian to ensure curl can establish secure connections without SSL trust anchor errors, particularly when fetching the GitHub CLI keyring.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• devenv/Containerfile.debian
  • Added ca-certificates to the list of packages installed during the initial setup.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This change adds the ca-certificates package to the initial package installation list in the devenv/Containerfile.debian. This is intended to prevent SSL errors when curl is used to fetch resources over HTTPS. The modification is confined to a single line and is a direct implementation of the described fix. After reviewing the change, I have not identified any issues or necessary improvements within the scope of the modification.

[henrywang]

From AI's help for the package install failure.

The issue is a version transition in progress. Here's what's happening:

  - ipxe 2.0.0+dfsg-1 was uploaded to sid on March 15, 2026 (yesterday)
  - This new version has build failures — missing builds on riscv64 and all architectures
  - The ipxe-qemu binary package comes from the all architecture build, which is missing
  - So the old ipxe-qemu (1.21.1) was removed to make way for the new version, but the new ipxe-qemu (2.0.0) hasn't been
  built yet
  - Migration to testing is also blocked by bug #1130949
  - The maintainer is actively working on it — they disabled dh_auto_test on March 16 (today) to try to fix the build

  This is a transient sid issue that should resolve within a day or two once the ipxe 2.0.0 arch:all build succeeds and
  produces the new ipxe-qemu package.

[cgwalters]

The issue is a version transition in progress.

Yeah, it probably makes sense to back off using Debian sid by default and go to just cherry picking a few things. In fact what would likely help a lot here is to use the same code for bootc-ubuntu-setup on top of ubuntu-24.04.

[henrywang]

Yeah, it probably makes sense to back off using Debian sid by default and go to just cherry picking a few things. In fact what would likely help a lot here is to use the same code for bootc-ubuntu-setup on top of ubuntu-24.04.

Can I replace Containerfile.debian based on ubuntu:24.04? The DevContainer will be ubuntu one.

[cgwalters]

I think in order to avoid breaking things let's add a new one, then roll it out by default.

That said we already have the c10s based one, we could also just use that by default.
I explicitly used a debian one by default because I think we must support other ecosystems beyond just fedora derivatives here with our tools and having a debian env for the devcontainer helps force that.

One thing that'd be nice if is devcontainers supported "alternative images" nicely as we're doing here so folks can choose.