[rb-general] Question about reproducible builds for PaX/Grsecurity

Ximin Luo infinity0 at debian.org
Thu Jun 22 12:25:00 CEST 2017

> [..]
>>  * Grsec's RANDSTRUCT and Reproducible Builds
>>    <https://bugs.debian.org/816439>
>> The latter has a patch from Steven Chamberlain :)
> Steven's patch is basically what we've done in our implementation:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=816439;filename=linux-grsec_4.6.3-1%2Bgrsec201607062159%2B1.debdiff;msg=34
> Thanks, it can be work out that way.

I'm not sure of the security implications of the RANDSTRUCT and the attacks they want to defend against, but it might be worth using the SHA256 sum of the whole debian/changelog file - or even more files, depending on how much extra time you're prepared to have the build take.

This may prevent or make it harder, for attackers to predict values *in advance* and calculate rainbow tables or some similar thing to attack RANDSTRUCT stuff with. Again, I'm guessing here as I don't know the details, but I don't see that what I suggested would cause any harm, only potential benefit.


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

More information about the rb-general mailing list