[rb-general] Question about reproducible builds for PaX/Grsecurity
Ximin Luo
infinity0 at debian.org
Thu Jun 22 12:25:00 CEST 2017
Shawn:
> [..]
>>
>> * Grsec's RANDSTRUCT and Reproducible Builds
>> <https://bugs.debian.org/816439>
>>
>> The latter has a patch from Steven Chamberlain :)
>>
> Steven's patch is basically what we've done in our implementation:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=816439;filename=linux-grsec_4.6.3-1%2Bgrsec201607062159%2B1.debdiff;msg=34
>
> Thanks, it can be work out that way.
>
I'm not sure of the security implications of the RANDSTRUCT and the attacks they want to defend against, but it might be worth using the SHA256 sum of the whole debian/changelog file - or even more files, depending on how much extra time you're prepared to have the build take.
This may prevent or make it harder, for attackers to predict values *in advance* and calculate rainbow tables or some similar thing to attack RANDSTRUCT stuff with. Again, I'm guessing here as I don't know the details, but I don't see that what I suggested would cause any harm, only potential benefit.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the rb-general
mailing list