diff --git a/flake.nix b/flake.nix
index 56779e2..d88fac5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -113,12 +113,19 @@
           # Debian Live flavors
           mrescue-debian-standard = mkDebianLive {
             flavor = "standard";
+            version = "13.3.0";
             hash = "sha256-7is9X5vGfYAe7+3b1WmO+7CzU1hyS37T20Yb4/Xn7NY=";
           };
           mrescue-debian-xfce = mkDebianLive {
             flavor = "xfce";
+            version = "13.3.0";
             hash = "sha256-xvHLR2gOOdsTIu7FrOZdxgfG6keqniEhhf9ywJmtNXQ=";
           };
+          mrescue-debian-kde = mkDebianLive {
+            flavor = "kde";
+            version = "13.3.0";
+            hash = "sha256-ahYjQLygLt9n4VnIR81gVhinfVC/ggiO5RT4M2nkO4k=";
+          };
           vanta-agent = super.callPackage ./pkgs/vanta-agent.nix { };
           gcloud-wrapped = super.callPackage ./pkgs/gcloud-wrapped { };
           go-raceless = super.callPackage ./pkgs/go-raceless { inherit (nicer) ; };
@@ -407,6 +414,7 @@
             mrescue-alpine
             mrescue-debian-standard
             mrescue-debian-xfce
+            mrescue-debian-kde
             sentinelone
             ;
         };
diff --git a/pkgs/mrescue-alpine.nix b/pkgs/mrescue-alpine.nix
index fd9502a..3957cb5 100644
--- a/pkgs/mrescue-alpine.nix
+++ b/pkgs/mrescue-alpine.nix
@@ -6,11 +6,11 @@
 
 stdenv.mkDerivation rec {
   pname = "mrescue-alpine";
-  version = "3.23.2";
+  version = "3.23.3";
 
   src = fetchurl {
     url = "https://dl-cdn.alpinelinux.org/alpine/v3.23/releases/x86_64/alpine-netboot-${version}-x86_64.tar.gz";
-    hash = "sha256-nFfzrPH1KI2R3OXBOluV7wB/hY63ImxWp/tyzBahpK0=";
+    hash = "sha256-U/tUZvdhLU/2Fr3g9jfwuM0mfX5SrtxwUiD0h+Qx8VA=";
   };
 
   nativeBuildInputs = with pkgs; [
diff --git a/pkgs/mrescue-debian.nix b/pkgs/mrescue-debian.nix
index d740618..38beed6 100644
--- a/pkgs/mrescue-debian.nix
+++ b/pkgs/mrescue-debian.nix
@@ -5,12 +5,13 @@
 }:
 {
   flavor,
+  version,
   hash,
 }:
 
 stdenv.mkDerivation rec {
   pname = "mrescue-debian-${flavor}";
-  version = "13.3.0";
+  inherit version;
 
   src = fetchurl {
     url = "https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-${version}-amd64-${flavor}.iso";
diff --git a/scripts/update-alpine.sh b/scripts/update-alpine.sh
new file mode 100755
index 0000000..ddc6d7a
--- /dev/null
+++ b/scripts/update-alpine.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Script to get latest Alpine version and hash
+# Usage: ./update-alpine.sh
+
+# Get the latest Alpine version by checking the releases page
+# Alpine versions are in format like "3.23.2" under v3.23 directory
+LATEST_MINOR=$(curl -s https://dl-cdn.alpinelinux.org/alpine/ | \
+    grep -oP 'v\d+\.\d+' | \
+    sort -V | \
+    tail -n1)
+
+if [[ -z "$LATEST_MINOR" ]]; then
+    echo "Error: Could not determine latest Alpine minor version" >&2
+    exit 1
+fi
+
+# Get the latest patch version from that minor version
+VERSION=$(curl -s "https://dl-cdn.alpinelinux.org/alpine/${LATEST_MINOR}/releases/x86_64/" | \
+    grep -oP 'alpine-netboot-\K[\d.]+(?=-x86_64\.tar\.gz)' | \
+    sort -V | \
+    tail -n1)
+
+if [[ -z "$VERSION" ]]; then
+    echo "Error: Could not determine latest Alpine version" >&2
+    exit 1
+fi
+
+# Download the .sha256 checksum file
+CHECKSUM_URL="https://dl-cdn.alpinelinux.org/alpine/${LATEST_MINOR}/releases/x86_64/alpine-netboot-${VERSION}-x86_64.tar.gz.sha256"
+HASH_HEX=$(curl -s "$CHECKSUM_URL" | awk '{print $1}')
+
+if [[ -z "$HASH_HEX" ]]; then
+    echo "Error: Could not download checksum from $CHECKSUM_URL" >&2
+    exit 1
+fi
+
+# Convert hex hash to SRI format
+HASH_SRI=$(nix-hash --type sha256 --to-sri "$HASH_HEX")
+
+# Output version and hash
+echo "version: $VERSION"
+echo "hash: $HASH_SRI"
diff --git a/scripts/update-debian.sh b/scripts/update-debian.sh
new file mode 100755
index 0000000..e846df8
--- /dev/null
+++ b/scripts/update-debian.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Script to generate updated Debian Live package definition
+# Usage: ./update-debian.sh <flavor>
+#   flavor: standard, xfce, kde, gnome, etc.
+
+SHA256SUMS_URL="https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA256SUMS"
+
+if [[ $# -ne 1 ]]; then
+    echo "Usage: $0 <flavor>" >&2
+    echo "  flavor: standard, xfce, kde, gnome, etc." >&2
+    exit 1
+fi
+
+FLAVOR="$1"
+
+# Download SHA256SUMS file
+SHA256SUMS_CONTENT=$(curl -s "$SHA256SUMS_URL")
+
+if [[ -z "$SHA256SUMS_CONTENT" ]]; then
+    echo "Error: Could not download SHA256SUMS file" >&2
+    exit 1
+fi
+
+# Extract version from any filename in SHA256SUMS
+VERSION=$(echo "$SHA256SUMS_CONTENT" | \
+    grep -oP 'debian-live-\K[\d.]+(?=-amd64-\w+\.iso)' | \
+    head -n1)
+
+if [[ -z "$VERSION" ]]; then
+    echo "Error: Could not determine Debian version from SHA256SUMS" >&2
+    exit 1
+fi
+
+# Extract hash from SHA256SUMS for this flavor
+ISO_FILENAME="debian-live-${VERSION}-amd64-${FLAVOR}.iso"
+HASH_HEX=$(echo "$SHA256SUMS_CONTENT" | \
+    grep " ${ISO_FILENAME}$" | \
+    awk '{print $1}')
+
+if [[ -z "$HASH_HEX" ]]; then
+    echo "Error: Could not find hash for $ISO_FILENAME in SHA256SUMS" >&2
+    echo "" >&2
+    echo "Available ISOs:" >&2
+    echo "$SHA256SUMS_CONTENT" | grep '\.iso$' | sed 's/^/  /' >&2
+    exit 1
+fi
+
+# Convert hex hash to SRI format
+HASH_SRI=$(nix-hash --type sha256 --to-sri "$HASH_HEX")
+
+# Output the Nix code block
+cat <<EOF
+          mrescue-debian-${FLAVOR} = mkDebianLive {
+            flavor = "${FLAVOR}";
+            version = "${VERSION}";
+            hash = "${HASH_SRI}";
+          };
+EOF