diff --git a/.github/workflows/assets.yml b/.github/workflows/assets.yml
index 98cab558f76..dc8eb2e96a3 100644
--- a/.github/workflows/assets.yml
+++ b/.github/workflows/assets.yml
@@ -80,12 +80,12 @@ jobs:
         run: |
           HV=${{ matrix.hv }}
           if [ "${{ github.event.repository.full_name }}" = "lf-edge/eve" ]; then
-             EVE=lfedge/eve:${TAG}-${{ env.PLATFORMVER }}${HV}-${{ env.ARCH }}
+             EVE=10.208.13.132/lfedge/eve:${TAG}-${{ env.PLATFORMVER }}${HV}-${{ env.ARCH }}
              docker pull "$EVE"
           else
              make pkgs
              make HV=${HV} ZARCH=${{ env.ARCH }} PLATFORM=${{ matrix.platform }} eve
-             EVE=lfedge/eve:$(make version)-${{ env.PLATFORMVER }}${HV}-${{ env.ARCH }}
+             EVE=10.208.13.132/lfedge/eve:$(make version)-${{ env.PLATFORMVER }}${HV}-${{ env.ARCH }}
           fi
           echo "EVE=$EVE" >> "$GITHUB_ENV"
       - name: Generate EVE binary assets
@@ -100,7 +100,7 @@ jobs:
       - name: Pull eve-sources and publish collected_sources.tar.gz to assets
         run: |
           HV=${{ matrix.hv }}
-          EVE_SOURCES=lfedge/eve-sources:${TAG}-${{ env.PLATFORMVER }}${HV}-${{ env.ARCH }}
+          EVE_SOURCES=10.208.13.132/lfedge/eve-sources:${TAG}-${{ env.PLATFORMVER }}${HV}-${{ env.ARCH }}
           docker pull "$EVE_SOURCES"
           docker create --name eve_sources "$EVE_SOURCES" bash
           docker export --output assets/collected_sources.tar.gz eve_sources
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4cc8eac32b5..27cdd68d1d9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -56,7 +56,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 0
       - name: Login to Docker Hub
-        if: ${{ github.event.repository.full_name }}== 'lf-edge/eve'
+        if: ${{ github.event.repository.full_name }}== 'rene/eve'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_PULL_USER }}
@@ -127,7 +127,7 @@ jobs:
           fetch-depth: 0
 
       - name: Login to Docker Hub
-        if: ${{ github.event.repository.full_name }}== 'lf-edge/eve'
+        if: ${{ github.event.repository.full_name }}== 'rene/eve'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_PULL_USER }}
diff --git a/.github/workflows/eden-trusted.yml b/.github/workflows/eden-trusted.yml
new file mode 100644
index 00000000000..152743429fc
--- /dev/null
+++ b/.github/workflows/eden-trusted.yml
@@ -0,0 +1,46 @@
+name: PR Approval Runner   # secrets-enabled stage
+on:
+  workflow_run:
+    workflows: ["PR Approval Gate"]
+    types: [completed]
+
+jobs:
+  context:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    outputs:
+      pr:     ${{ steps.parse.outputs.pr }}
+      run_id: ${{ steps.parse.outputs.run_id }}
+
+    steps:
+      - name: Download Gate context
+        uses: actions/download-artifact@v4
+        with:
+          name: gate-context
+          run-id: ${{ github.event.workflow_run.id }}   # isolate to this Gate run
+
+      - id: parse
+        run: |
+          PR=$(jq -r '.pr'  gate-context.json)
+          RUN=$(jq -r '.run' gate-context.json)
+          echo "pr=$PR"       >> "$GITHUB_OUTPUT"
+          echo "run_id=$RUN"  >> "$GITHUB_OUTPUT"
+
+  test_suite_pr:
+    uses: lf-edge/eden/.github/workflows/test.yml@1.0.2
+    needs: context
+    secrets: inherit
+    if: ${{ needs.context.outputs.pr != '' }}             # extra guard
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:     [amd64]
+        hv:       [kvm]
+        platform: ["generic"]
+
+    with:
+      eve_image:         "evebuild/pr:${{ needs.context.outputs.pr }}"
+      eve_log_level:     "debug"
+      eve_artifact_name: "eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}"
+      artifact_run_id:   ${{ needs.context.outputs.run_id }}
+      eden_version:      "1.0.2"
diff --git a/.github/workflows/eden.yml b/.github/workflows/eden.yml
index fdbdca09002..5f1fb77b995 100644
--- a/.github/workflows/eden.yml
+++ b/.github/workflows/eden.yml
@@ -1,5 +1,5 @@
 ---
-name: lf-edge/eden Test suite
+name: rene/eden Test suite
 
 # yamllint disable-line rule:truthy
 on:
@@ -113,27 +113,27 @@ jobs:
         hv: [kvm]
         platform: ["generic"]
     if: github.event.review.state == 'approved'
-    uses: lf-edge/eden/.github/workflows/test.yml@1.0.2
+    uses: rene/eden/.github/workflows/test.yml@2.0.0
     secrets: inherit
     with:
       eve_image: "evebuild/pr:${{ github.event.pull_request.number  }}"
       eve_log_level: "debug"
       eve_artifact_name: eve-${{ matrix.hv }}-${{ matrix.arch }}-${{ matrix.platform }}
       artifact_run_id: ${{ needs.get_run_id.outputs.run_id }}
-      eden_version: "1.0.2"
+      eden_version: "2.0.0"
 
   test_suite_master:
     if: github.ref == 'refs/heads/master'
-    uses: lf-edge/eden/.github/workflows/test.yml@1.0.2
+    uses: rene/eden/.github/workflows/test.yml@2.0.0
     secrets: inherit
     with:
       eve_image: "lfedge/eve:snapshot"
-      eden_version: "1.0.2"
+      eden_version: "2.0.0"
 
   test_suite_tag:
     if: startsWith(github.ref, 'refs/tags')
-    uses: lf-edge/eden/.github/workflows/test.yml@1.0.2
+    uses: rene/eden/.github/workflows/test.yml@2.0.0
     secrets: inherit
     with:
       eve_image: "lfedge/eve:${{ github.ref_name }}"
-      eden_version: "1.0.2"
+      eden_version: "2.0.0"
diff --git a/.github/workflows/pr-approval-gate.yml b/.github/workflows/pr-approval-gate.yml
new file mode 100644
index 00000000000..09980a3ec23
--- /dev/null
+++ b/.github/workflows/pr-approval-gate.yml
@@ -0,0 +1,73 @@
+name: PR Approval Gate
+on:
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check_md_wf_files:
+    if: ${{ github.event.review.state == 'approved' }}
+    runs-on: ubuntu-latest
+    outputs:
+      only_md:                 ${{ steps.detect.outputs.only_md }}
+      workflow_files_modified: ${{ steps.detect.outputs.workflow_files_modified }}
+    steps:
+      - name: Detect changes (md vs workflows)
+        id: detect
+        env:
+          PR_FILES_URL: ${{ github.event.pull_request._links.self.href }}/files
+        run: |
+          RESPONSE=$(curl -s "$PR_FILES_URL")
+          MODIFIED_FILES=$(echo "$RESPONSE" | jq -r '.[].filename')
+
+          ONLY_MD=true
+          echo "$MODIFIED_FILES" | grep -vq '\.md$' && ONLY_MD=false
+          echo "only_md=$ONLY_MD" >> "$GITHUB_OUTPUT"
+
+          WF_MOD=false
+          echo "$MODIFIED_FILES" | grep -qE '^\.github/workflows/.*\.(yml|yaml)$' && WF_MOD=true
+          echo "workflow_files_modified=$WF_MOD" >> "$GITHUB_OUTPUT"
+
+  get_run_id:
+    if: |
+      github.event.review.state == 'approved' &&
+      needs.check_md_wf_files.outputs.only_md == 'false' &&
+      needs.check_md_wf_files.outputs.workflow_files_modified == 'false'
+    runs-on: ubuntu-latest
+    needs: check_md_wf_files
+    outputs:
+      run_id: ${{ steps.fetch.outputs.run_id }}
+    steps:
+      - name: Fetch latest successful build run-ID
+        id: fetch
+        env:
+          HEAD_SHA:     ${{ github.event.pull_request.head.sha }}
+          REPO:         ${{ github.repository }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}   # read-only in forks – enough for public metadata
+        run: |
+          url="https://api.github.com/repos/$REPO/actions/workflows/build.yml/runs?head_sha=$HEAD_SHA&status=success"
+          RUN_ID=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$url" | jq -r '.workflow_runs[0].id')
+          if [ "$RUN_ID" = "null" ] || [ -z "$RUN_ID" ]; then
+            echo "No successful build.yml run found"; exit 0
+          fi
+          echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
+
+  save_context:
+    #needs: get_run_id
+    runs-on: ubuntu-latest
+    steps:
+      - name: Write context JSON
+        run: |
+          cat > gate-context.json <<EOF
+          {
+            "pr":  "${{ github.event.pull_request.number }}",
+            "run": "${{ needs.get_run_id.outputs.run_id }}"
+          }
+          EOF
+      - uses: actions/upload-artifact@v4
+        with:
+          name: gate-context          # fixed name—safe per-run
+          path: gate-context.json
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 50ca8fc58af..eefd5a963a7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -19,7 +19,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   # 1) non-ARM packages, fully parallel
   packages-non-arm:
-    if: github.event.repository.full_name == 'lf-edge/eve'
+    if: github.event.repository.full_name == 'rene/eve'
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -67,7 +67,7 @@ jobs:
         run: |
           SUCCESS=
           for i in 1 2 3; do
-            if make -e V=1 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push PRUNE=1 pkgs; then
+            if make -e V=1 REGISTRY=10.208.13.132 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push PRUNE=1 pkgs; then
               SUCCESS=true
               break
             else
@@ -95,7 +95,7 @@ jobs:
 
   # 2) ARM packages, serialized
   packages-arm:
-    if: github.event.repository.full_name == 'lf-edge/eve'
+    if: github.event.repository.full_name == 'rene/eve'
     runs-on: ${{ matrix.os }}
     timeout-minutes: 1440  # It takes more time when building arm64 on an amd64 runner
     strategy:
@@ -145,7 +145,7 @@ jobs:
           echo "TAG=$(echo "$REF" | sed -e 's#^.*/##' -e 's#master#snapshot#' -e 's#main#snapshot#')" >> "$GITHUB_ENV"
 
       - name: Login to Docker Hub
-        if: ${{ github.event.repository.full_name }}== 'lf-edge/eve'
+        if: ${{ github.event.repository.full_name }}== 'rene/eve'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
@@ -157,7 +157,7 @@ jobs:
           # sadly, our build sometimes times out on network access
           # and running out of disk space: re-trying for 3 times
           for i in 1 2 3; do
-             if make -e V=1 ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push PRUNE=1 pkgs; then
+             if make -e V=1 REGISTRY=10.208.13.132 ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push PRUNE=1 pkgs; then
                 SUCCESS=true
                 break
              else
@@ -189,7 +189,7 @@ jobs:
 
   # 3) downstream jobs depend on both package jobs
   eve:
-    if: github.event.repository.full_name == 'lf-edge/eve'
+    if: github.event.repository.full_name == 'rene/eve'
     needs: [packages-non-arm, packages-arm]
     runs-on: zededa-ubuntu-2204
     strategy:
@@ -217,13 +217,13 @@ jobs:
           fetch-depth: 0
       - uses: ./.github/actions/run-make
         with:
-          command: "V=1 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push eve"
+          command: "V=1 REGISTRY=10.208.13.132 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push eve"
           dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
           dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
       - uses: ./.github/actions/run-make
         if: matrix.arch != 'riscv64'
         with:
-          command: "V=1 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push sbom collected_sources compare_sbom_collected_sources publish_sources"
+          command: "V=1 REGISTRY=10.208.13.132 HV=${{ matrix.hv }} ZARCH=${{ matrix.arch }} PLATFORM=${{ matrix.platform }} LINUXKIT_PKG_TARGET=push sbom collected_sources compare_sbom_collected_sources publish_sources"
           dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
           dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
       - name: Clean
@@ -235,7 +235,7 @@ jobs:
           rm -rf ~/.linuxkit || :
 
   manifest:
-    if: github.event.repository.full_name == 'lf-edge/eve'
+    if: github.event.repository.full_name == 'rene/eve'
     needs: [packages-non-arm, packages-arm]
     runs-on: zededa-ubuntu-2204
     steps:
@@ -244,13 +244,13 @@ jobs:
           fetch-depth: 0
       - uses: ./.github/actions/run-make
         with:
-          command: "V=1 LINUXKIT_PKG_TARGET=manifest pkgs"
+          command: "V=1 REGISTRY=10.208.13.132 LINUXKIT_PKG_TARGET=manifest pkgs"
           dockerhub-token: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
           dockerhub-account: ${{ secrets.RELEASE_DOCKERHUB_ACCOUNT }}
 
   trigger_assets:
-    if: ${{ (startsWith(github.ref, 'refs/tags/')) && (github.event.repository.full_name == 'lf-edge/eve') }}
+    if: ${{ (startsWith(github.ref, 'refs/tags/')) && (github.event.repository.full_name == 'rene/eve') }}
     needs: [manifest, eve]
-    uses: lf-edge/eve/.github/workflows/assets.yml@master
+    uses: rene/eve/.github/workflows/assets.yml@master
     with:
       tag_ref: ${{ github.ref_name }}
diff --git a/Makefile b/Makefile
index f9d91ad0bdc..3eae27e3430 100644
--- a/Makefile
+++ b/Makefile
@@ -815,9 +815,9 @@ compare_sbom_collected_sources: $(COLLECTED_SOURCES) $(SBOM) | $(COMPARESOURCES)
 publish_sources: $(COLLECTED_SOURCES)
 	$(QUIET): $@: Begin
 	cp pkg/sources/* $(SOURCES_DIR)
-	$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(ROOTFS_VERSION)-$(HV) --docker $(if $(strip $(EVE_REL)),--release) $(EVE_REL)$(if $(strip $(EVE_REL)),-$(HV)) $(SOURCES_DIR) $|
+	$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) $(LINUXKIT_ORG_TARGET) --builder-image renezededa/buildkit:latest --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(ROOTFS_VERSION)-$(HV) --docker $(if $(strip $(EVE_REL)),--release) $(EVE_REL)$(if $(strip $(EVE_REL)),-$(HV)) $(SOURCES_DIR) $|
 	$(QUIET)if [ -n "$(EVE_REL)" ] && [ $(HV) = $(HV_DEFAULT) ]; then \
-	   $(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(EVE_REL)-$(HV) --docker --release $(EVE_REL) $(SOURCES_DIR) $| ;\
+		$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) --builder-image renezededa/buildkit:latest $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(EVE_REL)-$(HV) --docker --release $(EVE_REL) $(SOURCES_DIR) $| ;\
 	fi
 	$(QUIET): $@: Succeeded
 
@@ -891,9 +891,9 @@ eve: $(INSTALLER) $(EVE_ARTIFACTS) current $(RUNME) $(BUILD_YML) | $(BUILD_DIR)
 	$(QUIET): "$@: Begin: EVE_REL=$(EVE_REL), HV=$(HV), LINUXKIT_PKG_TARGET=$(LINUXKIT_PKG_TARGET)"
 	cp images/out/*.yml $|
 	$(PARSE_PKGS) pkg/eve/Dockerfile.in > $|/Dockerfile
-	$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(ROOTFS_VERSION)-$(HV) --docker $(if $(strip $(EVE_REL)),--release) $(EVE_REL)$(if $(strip $(EVE_REL)),-$(HV)) $(FORCE_BUILD) $|
+	$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) --builder-image renezededa/buildkit:latest $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(ROOTFS_VERSION)-$(HV) --docker $(if $(strip $(EVE_REL)),--release) $(EVE_REL)$(if $(strip $(EVE_REL)),-$(HV)) $(FORCE_BUILD) $|
 	$(QUIET)if [ -n "$(EVE_REL)" ] && [ $(HV) = $(HV_DEFAULT) ]; then \
-	   $(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(EVE_REL)-$(if $(TAGPLAT),$(TAGPLAT)-)$(HV) --docker --release $(EVE_REL) $(FORCE_BUILD) $| ;\
+		$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) --builder-image renezededa/buildkit:latest $(LINUXKIT_ORG_TARGET) --platforms linux/$(ZARCH) --hash-path $(CURDIR) --hash $(EVE_REL)-$(if $(TAGPLAT),$(TAGPLAT)-)$(HV) --docker --release $(EVE_REL) $(FORCE_BUILD) $| ;\
 	fi
 	$(QUIET): $@: Succeeded
 
@@ -1067,7 +1067,7 @@ eve-%: pkg/%/Dockerfile build-tools $(RESCAN_DEPS)
 	$(QUIET): "$@: Begin: LINUXKIT_PKG_TARGET=$(LINUXKIT_PKG_TARGET)"
 	$(eval LINUXKIT_DOCKER_LOAD := $(if $(filter $(PKGS_DOCKER_LOAD),$*),--docker,))
 	$(eval LINUXKIT_BUILD_PLATFORMS_LIST := $(call uniq,linux/$(ZARCH) $(if $(filter $(PKGS_HOSTARCH),$*),linux/$(HOSTARCH),)))
-	$(eval LINUXKIT_BUILD_PLATFORMS := --platforms $(subst $(space),$(comma),$(strip $(LINUXKIT_BUILD_PLATFORMS_LIST))))
+	$(eval LINUXKIT_BUILD_PLATFORMS := --builder-image renezededa/buildkit:latest --platforms $(subst $(space),$(comma),$(strip $(LINUXKIT_BUILD_PLATFORMS_LIST))))
 	$(eval LINUXKIT_FLAGS := $(if $(filter manifest,$(LINUXKIT_PKG_TARGET)),,$(FORCE_BUILD) $(LINUXKIT_DOCKER_LOAD) $(LINUXKIT_BUILD_PLATFORMS)))
 	$(QUIET)$(LINUXKIT) $(DASH_V) pkg $(LINUXKIT_PKG_TARGET) $(LINUXKIT_ORG_TARGET) $(LINUXKIT_OPTS) $(LINUXKIT_FLAGS) --build-yml $(call get_pkg_build_yml,$*) pkg/$*
 	$(QUIET)if [ -n "$(PRUNE)" ]; then \
diff --git a/build-tools/src/scripts/Dockerfile b/build-tools/src/scripts/Dockerfile
index e79351a35a0..520e9c18a2d 100644
--- a/build-tools/src/scripts/Dockerfile
+++ b/build-tools/src/scripts/Dockerfile
@@ -55,6 +55,12 @@ RUN rm -rf /tmp/zfs-out/usr/share && rm -rf /tmp/zfs-out/usr/src && \
 
 RUN cp -r /tmp/zfs-out/* /
 
+COPY domain.crt /tmp/domain.crt
+
+RUN mkdir -p /etc/docker/certs.d/10.208.13.132
+RUN cp /tmp/domain.crt /etc/docker/certs.d/10.208.13.132/ca.crt
+RUN cp /tmp/domain.crt /usr/local/share/ca-certificates/selfs.crt
+RUN update-ca-certificates
 
 RUN go install github.com/golang/protobuf/protoc-gen-go@v1.5.2
 RUN go install gotest.tools/gotestsum@v1.7.0
@@ -64,3 +70,4 @@ RUN mv /go/bin/* /usr/bin
 ENV HOME /home/${USER}
 ENV GOFLAGS=-mod=vendor
 ENV GO111MODULE=on
+ENV REGISTRY=${REGISTRY}
diff --git a/build-tools/src/scripts/build-all-tags.sh b/build-tools/src/scripts/build-all-tags.sh
index 0c94888b40e..072cc51e417 100755
--- a/build-tools/src/scripts/build-all-tags.sh
+++ b/build-tools/src/scripts/build-all-tags.sh
@@ -11,7 +11,7 @@ if [ $# -lt 2 ] ; then
 fi
 
 REPO=${1:-lfedge/eve}
-CMD=${2:-"LINUXKIT_PKG_TARGET=push ; make pkgs ; make eve"}
+CMD=${2:-"REGISTRY=${LINUXKIT_ORG_TARGET} LINUXKIT_PKG_TARGET=push ; make pkgs ; make eve"}
 
 case $(uname -m) in
   x86_64) ARCH=-amd64
diff --git a/build-tools/src/scripts/domain.crt b/build-tools/src/scripts/domain.crt
new file mode 100644
index 00000000000..12dd6bcd937
--- /dev/null
+++ b/build-tools/src/scripts/domain.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgjCCA2qgAwIBAgIUDbZ7xVa2l/BFggSc7lSPmb8J+/owDQYJKoZIhvcNAQEL
+BQAwYTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBFVuaXQxFjAUBgNVBAMMDTEwLjIwOC4x
+My4xMzIwHhcNMjUwNTAxMTEwMTA4WhcNMjYwNTAxMTEwMTA4WjBhMQswCQYDVQQG
+EwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09y
+ZzENMAsGA1UECwwEVW5pdDEWMBQGA1UEAwwNMTAuMjA4LjEzLjEzMjCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBALNzmntLtp7jh0w2go0dcAoQ5yUu9w2r
+/1nwtKg4J7mp0qICLdUxFZ/YDcXDTGex6jcnCd2U3yuayStaGkyceG2+u6G2av9M
+5pdzoTyT6zFFvYjxbIENsBlVJKY7CRx8Ya5eM0CPEcLgW/BlQOl/R0r/Z8iR34Qz
+89q+Y46kCQvCyFKxNflwDChMNb91Aa/RLDBrIl7kzOWKwn9cwcIKxkNR92W+SNpi
+s8rV3O1zvKoh3NBhHZbEYV3m+x9xxCNSgkCyYxeuNJk6NkUWvDAaNOmndAm6u6He
+ECbKkqYK/xzlM9piaOXFGOYnIpAVQ3LejDhx2wltB2yhhY0rau40UrbZJ0MywQRR
+a5DWhWZBNgyBafsb02WWlF0ZIoGUt/uzTtvzJ79F33HBW/FtZwegVLGowKmyFXFd
+SfnDg8ZuD4tbE2ojjBkdb+MEKdbB/tW9ShkUB1lYvfAJYwAKRzFa0iyPdEz8jMQ/
+tYxqmInPYF3Vdg69qch/W/UelKAZidiWvX2K1Z5D3M3Vk24ImgsjX5bBWp4P2Cum
+D6axGdmPs9P7CPrDoGcee8KDiQbx3SW675tAX9gbBwtHtF7toN3I+QKe9iuHqOzF
+UTHWZK83c08ci2+U7J7OKQcpDTgLNEzRlNCv7D0y4V7LBtUCCV0tsncoDyIQF5ay
+nkbRYnvBVKZHAgMBAAGjMjAwMA8GA1UdEQQIMAaHBArQDYQwHQYDVR0OBBYEFPeu
+KU/n/Cdhj1/rWUiGoGaibPdmMA0GCSqGSIb3DQEBCwUAA4ICAQBKB/60DQMYSX94
+Rj5+fisotHYq1tjK6i0HgWQk9GmmP3C58rSnKqDTBg1oreZMyK+o54y4r2oDbDus
+Ad+cBd3K/N3rOFkicOaaWRt3Hh1M0oB3XavqCkSY6ceNRvc7g/Dz9psWXC4MJTgA
+QGVrKk2UsVwNzPbZ3zdXVa/0uZHXvCCtKEAiKBokLnY3u0l4/Dr8NuEud61xaTMI
+/h+ZQXf2I6TlVJc2ip37k9/R4Spd/wsIcqe3H4eYWb59Md8056lFULhxtqgV2VVw
+KArD9myQRqcUnxe2TKRxUSjNKdlbaJKWGm+9q8mlJxzizG6UEAIZ3Sve3eRZBn9E
+7ZrOZRlFnGHZArYNJuF9cXJXOA8W56etpTWCxG0BnfUaV7Hcv+PzkftUC2F/XAhk
+eg/afvBEs9ZSghzXIwkN8WJNfoaYR9ms7wcdDYDdwHcSgcYlFTepqjL71ePYxass
+67fBqXp0B+/Vii9eKXFQg4w/vhN0CRmv43PXNqXd4vS46upCvntHaULaD4PwlwHh
+ciAEf/Y6wBYvDGvnktSISSCtQOHc8GPjtP2+WE3HCNkODEOWHSAZiNnJic0twt7b
+Ev3M2Uzar7PTwelisHjEk3X+//ei18UZOi2KkzKTyxHwMhGV9dCG4VZFCubY4l4v
+NTJMNUpoyAVm4PGjMnr59uPRow6TNw==
+-----END CERTIFICATE-----
diff --git a/pkg/grub/Dockerfile b/pkg/grub/Dockerfile
index f95b44fb068..037adcde38b 100644
--- a/pkg/grub/Dockerfile
+++ b/pkg/grub/Dockerfile
@@ -51,7 +51,7 @@ ENV GRUB_PLATFORM=efi
 # hadolint ignore=DL3006
 FROM grub-build-${TARGETARCH} AS grub-build
 
-ENV GRUB_REPO=https://git.savannah.gnu.org/cgit/grub.git
+ENV GRUB_REPO=http://10.208.13.10
 
 COPY patches /patches
 COPY patches-2.06  /patches-2.06
@@ -63,7 +63,7 @@ RUN ln -s python3 /usr/bin/python && \
 
 ADD ${GRUB_REPO}/snapshot/grub-${GRUB_COMMIT}.tar.gz /grub.tar.gz
 ENV GNULIB_REVISION=d271f868a8df9bbec29049d01e056481b7a1a263
-ADD --keep-git-dir git://git.sv.gnu.org/gnulib#${GNULIB_REVISION} /gnulib
+ADD --keep-git-dir https://github.com/coreutils/gnulib.git#${GNULIB_REVISION} /gnulib
 
 # the below does a weird init of a git repo, because we are not cloning the
 # repo, yet we need to be in a repo to apply patches with `git am`.
diff --git a/pkg/nvidia/Dockerfile b/pkg/nvidia/Dockerfile
index eb8cb6d7a02..2dfabe17b61 100644
--- a/pkg/nvidia/Dockerfile
+++ b/pkg/nvidia/Dockerfile
@@ -19,8 +19,8 @@ RUN git config --global user.email 'builder@projecteve.dev' && \
     git config --global user.name 'Project EVE'
 
 # Jetpack tarballs
-ENV JETSON_JP5=https://developer.nvidia.com/downloads/embedded/l4t/r35_release_v5.0/release/jetson_linux_r35.5.0_aarch64.tbz2
-ENV JETSON_JP6=https://developer.nvidia.com/downloads/embedded/l4t/r36_release_v3.0/release/jetson_linux_r36.3.0_aarch64.tbz2
+ENV JETSON_JP5=http://10.208.13.10/jetson_linux_r35.5.0_aarch64.tbz2
+ENV JETSON_JP6=http://10.208.13.10/jetson_linux_r36.3.0_aarch64.tbz2
 
 # Default Jetpack version
 ENV JETSON_LINUX=${JETSON_JP5}
diff --git a/pkg/pillar/cmd/baseosmgr/baseosmgr.go b/pkg/pillar/cmd/baseosmgr/baseosmgr.go
index dd1f7d70d0b..d5609bfcab3 100644
--- a/pkg/pillar/cmd/baseosmgr/baseosmgr.go
+++ b/pkg/pillar/cmd/baseosmgr/baseosmgr.go
@@ -5,6 +5,8 @@
 // interfaces with zedagent for configuration update
 // interfaces with volumemgr to get the images/blobs as volumes
 
+// Hello World again! 
+
 package baseosmgr
 
 import (