<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div><br></div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757">Dihantar daripada telefon pintar Samsung Galaxy saya.</div></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Mesej asal --------</div><div>Daripada: Shawn <citypw@gmail.com> </div><div>Tarikh: 10/06/2017 11:23 PM (GMT+08:00) </div><div>Kepada: Chris Lamb <lamby@debian.org> </div><div>Sk: rb-general@lists.reproducible-builds.org </div><div>Subjek: Re: [rb-general] Question about reproducible builds for PaX/Grsecurity </div><div><br></div></div>Hi Chris,<br><br>On Sat, Jun 10, 2017 at 9:53 PM, Chris Lamb <lamby@debian.org> wrote:<br>> Dear Shawn,<br>><br>>> I've been to Chris Lamb's presentation at HKOSCON and it's really glad<br>>> to see such high percentage of packaging coverage in Debian GNU/Linux<br>>> distro.<br>><br>> Thank you for your kind words. However, whilst the presentation was mine,<br>> the Reproducible Builds effort is very much a team thing :)<br>><br>>> Because reproducible builds for PaX/Grsecurity requires the same seed<br>>> if Grsec's RANDSTRUCT was enabled.<br>><br>> For anyone following along here:<br>><br>> GRKERNSEC_RANDSTRUCT<br>> If you say Y here, the layouts of a number of sensitive kernel<br>> structures (task, fs, cred, etc) and all structures composed entirely<br>> of function pointers (aka "ops" structs) will be randomized at compile-time.<br>><br>> <https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures><br>><br>>> So my question is as a GNU/Linux distro, who's manage the seed?<br>><br>> So, starting at:<br>><br>> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/linux-grsec.html<br>><br>> .. this links to the following bugs:<br>><br>> * GRKERNSEC_RANDSTRUCT shouldn't be enabled<br>> <https://bugs.debian.org/814787><br>><br>> * Grsec's RANDSTRUCT and Reproducible Builds<br>> <https://bugs.debian.org/816439><br>><br>> The latter has a patch from Steven Chamberlain :)<br>><br>Steven's patch is basically what we've done in our implementation:<br><br>https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=816439;filename=linux-grsec_4.6.3-1%2Bgrsec201607062159%2B1.debdiff;msg=34<br><br>Thanks, it can be work out that way.<br><br><br><br>-- <br>GNU powered it...<br>GPL protect it...<br>God blessing it...<br><br>regards<br>Shawn<br>_______________________________________________<br>rb-general@lists.reproducible-builds.org mailing list<br><br>To change your subscription options, visit https://lists.reproducible-builds.org/listinfo/rb-general.<br><br>To unsubscribe, send an email to rb-general-unsubscribe@lists.reproducible-builds.org.</body></html>