[rb-general] Question about reproducible builds for PaX/Grsecurity
lamby at debian.org
Sat Jun 10 15:53:15 CEST 2017
> I've been to Chris Lamb's presentation at HKOSCON and it's really glad
> to see such high percentage of packaging coverage in Debian GNU/Linux
Thank you for your kind words. However, whilst the presentation was mine,
the Reproducible Builds effort is very much a team thing :)
> Because reproducible builds for PaX/Grsecurity requires the same seed
> if Grsec's RANDSTRUCT was enabled.
For anyone following along here:
If you say Y here, the layouts of a number of sensitive kernel
structures (task, fs, cred, etc) and all structures composed entirely
of function pointers (aka "ops" structs) will be randomized at compile-time.
> So my question is as a GNU/Linux distro, who's manage the seed?
So, starting at:
.. this links to the following bugs:
* GRKERNSEC_RANDSTRUCT shouldn't be enabled
* Grsec's RANDSTRUCT and Reproducible Builds
The latter has a patch from Steven Chamberlain :)
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
More information about the rb-general