[rb-general] Question about reproducible builds for PaX/Grsecurity
Chris Lamb
lamby at debian.org
Sat Jun 10 15:53:15 CEST 2017
Dear Shawn,
> I've been to Chris Lamb's presentation at HKOSCON and it's really glad
> to see such high percentage of packaging coverage in Debian GNU/Linux
> distro.
Thank you for your kind words. However, whilst the presentation was mine,
the Reproducible Builds effort is very much a team thing :)
> Because reproducible builds for PaX/Grsecurity requires the same seed
> if Grsec's RANDSTRUCT was enabled.
For anyone following along here:
GRKERNSEC_RANDSTRUCT
If you say Y here, the layouts of a number of sensitive kernel
structures (task, fs, cred, etc) and all structures composed entirely
of function pointers (aka "ops" structs) will be randomized at compile-time.
<https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures>
> So my question is as a GNU/Linux distro, who's manage the seed?
So, starting at:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/linux-grsec.html
.. this links to the following bugs:
* GRKERNSEC_RANDSTRUCT shouldn't be enabled
<https://bugs.debian.org/814787>
* Grsec's RANDSTRUCT and Reproducible Builds
<https://bugs.debian.org/816439>
The latter has a patch from Steven Chamberlain :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
`-
More information about the rb-general
mailing list