diff --git a/template/build/toolchain.lock b/template/build/toolchain.lock
index ac204f1..464fe5f 100644
--- a/template/build/toolchain.lock
+++ b/template/build/toolchain.lock
@@ -7,7 +7,7 @@
 # sets it to the next semver tag it computes from the [bump:*] commit markers
 # (default minor; see the README). A release is cut only when build/ or the
 # vendor workflow changes.
-TOOLCHAIN_VERSION=0.10.0
+TOOLCHAIN_VERSION=0.10.1
 
 # Where a consumer fetches assets from: the version-tagged release. The fetch
 # appends `/v<TOOLCHAIN_VERSION>/<tool>-<arch>`.
@@ -29,7 +29,7 @@ CLANG_SHA256_aarch64=105fb2d324095127a127bcba56702a86229ed8892ce6429802d30585fa2
 BPFTOOL_VERSION=7.7.0
 BPFTOOL_SHA256_x86_64=74bd16335aa1c40714fb50287a42766c6faa4958f969cce32fef89485ce4934c
 BPFTOOL_SHA256_aarch64=2b3fc4dd5e4e40bd8d670c5f1fa9693b3f879a122c0f6a3eb806dfc6735da6b7
-LIBBPF_HEADERS_SHA256=d712858662168e4e04cdc35e4a962a6056c429ed57461b974ec59b819c60e3c3
+LIBBPF_HEADERS_SHA256=f20bbda5a384eb358927f5cb8332d56f8391847674fbef3f9afbf5340f719559
 
 # veristat — BPF verifier statistics tool, used to check that built `*.bpf.o`
 # programs load and to track verifier complexity. Official static binary from
@@ -51,8 +51,8 @@ MAKE_SHA256_aarch64=d5d5a80c7d57795d9f13c57ecd5315b9602327370094830d7fa9e490fa21
 # source, lean (NO_CURL/NO_OPENSSL): init/add/commit/local ops only, no https
 # remotes (host git or yeet's resolver handle those). CI records checksums.
 GIT_VERSION=2.54.0
-GIT_SHA256_x86_64=0e9dff2f8fc0d44fa67971c01c46ddba710d07a2911278f7f066abec422f24b6
-GIT_SHA256_aarch64=19c6dda22c811324649e6e4aa8c369a8d822463d61d794d0e23e72fb77b5376c
+GIT_SHA256_x86_64=59f561315854bddf56b77bf0557b73231431e17b0750f613ef2e4e6c8050c5ec
+GIT_SHA256_aarch64=ff2519a8d32b789c570a3f2e25ad7b4c7d79eeef963d23b3ddbcb679fa78e8a6
 
 # esbuild — official static (Go) binary from the @esbuild/<platform> npm
 # package, re-hosted on our "toolchain" release. CI records the binary
@@ -89,8 +89,8 @@ LVH_SHA256_x86_64=ca3b958ffc08a4b65e4c6c8d29a4dad077acd11f146bc84f75a30ecaa031e9
 LVH_SHA256_aarch64=49b7cef6376c445c0ab23465ecc984a771e06b3b37c39b486a4fed7fb1ded476
 # Per-arch checksum of the published qemu-<arch>.tar.gz (binary + minimal
 # share/qemu blobs). CI records these; the matrix runner verifies the tarball.
-QEMU_SHA256_x86_64=2e26722e965018c145bab180cee8feace50f91841bf51b350f14527c0d5da637
-QEMU_SHA256_aarch64=6fe353ef43918c14088c7a3741bfac54e6c17084ea462454a5b2a525ba0aa330
+QEMU_SHA256_x86_64=4869e83d3ba4be16521cba6801005cf031da00d8ddf3401e5f4a505817ad5393
+QEMU_SHA256_aarch64=5daf84e2eace328e722a9804f25fd778197b5d3dcc0047402a778f3e0c99d9bc
 
 # Alpine base used for the musl-static clang build.
 ALPINE_TAG=alpine:3.21
diff --git a/toolchain/build/Dockerfile.git b/toolchain/build/Dockerfile.git
index efe6d1f..57d1023 100644
--- a/toolchain/build/Dockerfile.git
+++ b/toolchain/build/Dockerfile.git
@@ -27,7 +27,13 @@ RUN curl -fSL -o git.tar.xz \
  && rm git.tar.xz
 
 WORKDIR /src/git-${GIT_VERSION}
+# git's Makefile defaults `prefix` to $HOME, which is /root in this build, so
+# without these the system config path bakes in as /root/etc/gitconfig — a
+# path that doesn't exist (and isn't readable) wherever the binary actually
+# runs, so every invocation aborts reading it. Pin the conventional
+# /etc/gitconfig instead, which is absent-or-readable on a normal host.
 RUN make -j"$(nproc)" \
+        prefix=/usr sysconfdir=/etc \
         NO_CURL=1 NO_OPENSSL=1 NO_TCLTK=1 NO_GETTEXT=1 NO_PYTHON=1 \
         NO_INSTALL_HARDLINKS=1 NO_PERL=1 \
         NO_REGEX=1 \
@@ -39,7 +45,13 @@ RUN make -j"$(nproc)" \
  && cp git /git \
  # Prove it can initialize a repo with no external helpers on PATH.
  && /git init -q /tmp/t && /git -C /tmp/t rev-parse --is-inside-work-tree >/dev/null \
- && echo "confirmed: git init works standalone"
+ && echo "confirmed: git init works standalone" \
+ # Re-run as a non-root user: this is the case that caught the baked /root
+ # config path. If the system config still resolved under /root, a normal
+ # user couldn't read it and git would abort here.
+ && adduser -D tester \
+ && su tester -c '/git init -q /tmp/t2 && /git -C /tmp/t2 rev-parse --is-inside-work-tree >/dev/null' \
+ && echo "confirmed: git init works as non-root"
 
 FROM scratch AS export
 COPY --from=build /git /git
diff --git a/toolchain/build/versions.env b/toolchain/build/versions.env
index ac204f1..464fe5f 100644
--- a/toolchain/build/versions.env
+++ b/toolchain/build/versions.env
@@ -7,7 +7,7 @@
 # sets it to the next semver tag it computes from the [bump:*] commit markers
 # (default minor; see the README). A release is cut only when build/ or the
 # vendor workflow changes.
-TOOLCHAIN_VERSION=0.10.0
+TOOLCHAIN_VERSION=0.10.1
 
 # Where a consumer fetches assets from: the version-tagged release. The fetch
 # appends `/v<TOOLCHAIN_VERSION>/<tool>-<arch>`.
@@ -29,7 +29,7 @@ CLANG_SHA256_aarch64=105fb2d324095127a127bcba56702a86229ed8892ce6429802d30585fa2
 BPFTOOL_VERSION=7.7.0
 BPFTOOL_SHA256_x86_64=74bd16335aa1c40714fb50287a42766c6faa4958f969cce32fef89485ce4934c
 BPFTOOL_SHA256_aarch64=2b3fc4dd5e4e40bd8d670c5f1fa9693b3f879a122c0f6a3eb806dfc6735da6b7
-LIBBPF_HEADERS_SHA256=d712858662168e4e04cdc35e4a962a6056c429ed57461b974ec59b819c60e3c3
+LIBBPF_HEADERS_SHA256=f20bbda5a384eb358927f5cb8332d56f8391847674fbef3f9afbf5340f719559
 
 # veristat — BPF verifier statistics tool, used to check that built `*.bpf.o`
 # programs load and to track verifier complexity. Official static binary from
@@ -51,8 +51,8 @@ MAKE_SHA256_aarch64=d5d5a80c7d57795d9f13c57ecd5315b9602327370094830d7fa9e490fa21
 # source, lean (NO_CURL/NO_OPENSSL): init/add/commit/local ops only, no https
 # remotes (host git or yeet's resolver handle those). CI records checksums.
 GIT_VERSION=2.54.0
-GIT_SHA256_x86_64=0e9dff2f8fc0d44fa67971c01c46ddba710d07a2911278f7f066abec422f24b6
-GIT_SHA256_aarch64=19c6dda22c811324649e6e4aa8c369a8d822463d61d794d0e23e72fb77b5376c
+GIT_SHA256_x86_64=59f561315854bddf56b77bf0557b73231431e17b0750f613ef2e4e6c8050c5ec
+GIT_SHA256_aarch64=ff2519a8d32b789c570a3f2e25ad7b4c7d79eeef963d23b3ddbcb679fa78e8a6
 
 # esbuild — official static (Go) binary from the @esbuild/<platform> npm
 # package, re-hosted on our "toolchain" release. CI records the binary
@@ -89,8 +89,8 @@ LVH_SHA256_x86_64=ca3b958ffc08a4b65e4c6c8d29a4dad077acd11f146bc84f75a30ecaa031e9
 LVH_SHA256_aarch64=49b7cef6376c445c0ab23465ecc984a771e06b3b37c39b486a4fed7fb1ded476
 # Per-arch checksum of the published qemu-<arch>.tar.gz (binary + minimal
 # share/qemu blobs). CI records these; the matrix runner verifies the tarball.
-QEMU_SHA256_x86_64=2e26722e965018c145bab180cee8feace50f91841bf51b350f14527c0d5da637
-QEMU_SHA256_aarch64=6fe353ef43918c14088c7a3741bfac54e6c17084ea462454a5b2a525ba0aa330
+QEMU_SHA256_x86_64=4869e83d3ba4be16521cba6801005cf031da00d8ddf3401e5f4a505817ad5393
+QEMU_SHA256_aarch64=5daf84e2eace328e722a9804f25fd778197b5d3dcc0047402a778f3e0c99d9bc
 
 # Alpine base used for the musl-static clang build.
 ALPINE_TAG=alpine:3.21