[rb-general] Question about reproducible builds for PaX/Grsecurity
Shawn
citypw at gmail.com
Sat Jun 10 17:23:17 CEST 2017
Hi Chris,
On Sat, Jun 10, 2017 at 9:53 PM, Chris Lamb <lamby at debian.org> wrote:
> Dear Shawn,
>
>> I've been to Chris Lamb's presentation at HKOSCON and it's really glad
>> to see such high percentage of packaging coverage in Debian GNU/Linux
>> distro.
>
> Thank you for your kind words. However, whilst the presentation was mine,
> the Reproducible Builds effort is very much a team thing :)
>
>> Because reproducible builds for PaX/Grsecurity requires the same seed
>> if Grsec's RANDSTRUCT was enabled.
>
> For anyone following along here:
>
> GRKERNSEC_RANDSTRUCT
> If you say Y here, the layouts of a number of sensitive kernel
> structures (task, fs, cred, etc) and all structures composed entirely
> of function pointers (aka "ops" structs) will be randomized at compile-time.
>
> <https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures>
>
>> So my question is as a GNU/Linux distro, who's manage the seed?
>
> So, starting at:
>
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/linux-grsec.html
>
> .. this links to the following bugs:
>
> * GRKERNSEC_RANDSTRUCT shouldn't be enabled
> <https://bugs.debian.org/814787>
>
> * Grsec's RANDSTRUCT and Reproducible Builds
> <https://bugs.debian.org/816439>
>
> The latter has a patch from Steven Chamberlain :)
>
Steven's patch is basically what we've done in our implementation:
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=816439;filename=linux-grsec_4.6.3-1%2Bgrsec201607062159%2B1.debdiff;msg=34
Thanks, it can be work out that way.
--
GNU powered it...
GPL protect it...
God blessing it...
regards
Shawn
More information about the rb-general
mailing list