[rb-general] Question about reproducible builds for PaX/Grsecurity

Chris Lamb lamby at debian.org
Sat Jun 10 15:53:15 CEST 2017

Dear Shawn,

> I've been to Chris Lamb's presentation at HKOSCON and it's really glad
> to see such high percentage of packaging coverage in Debian GNU/Linux
> distro.

Thank you for your kind words. However, whilst the presentation was mine,
the Reproducible Builds effort is very much a team thing :)

> Because reproducible builds for PaX/Grsecurity requires the same seed
> if Grsec's RANDSTRUCT was enabled.

For anyone following along here:

  If you say Y here, the layouts of a number of sensitive kernel
  structures (task, fs, cred, etc) and all structures composed entirely
  of function pointers (aka "ops" structs) will be randomized at compile-time.


> So my question is as a GNU/Linux distro, who's manage the seed?

So, starting at:


.. this links to the following bugs:

 * GRKERNSEC_RANDSTRUCT shouldn't be enabled

 * Grsec's RANDSTRUCT and Reproducible Builds

The latter has a patch from Steven Chamberlain :)


     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk

More information about the rb-general mailing list