[rb-general] Question about reproducible builds for PaX/Grsecurity

Ximin Luo infinity0 at debian.org
Thu Jun 22 12:31:00 CEST 2017


Ximin Luo:
> Shawn:
>> [..]
>>>
>>>  * Grsec's RANDSTRUCT and Reproducible Builds
>>>    <https://bugs.debian.org/816439>
>>>
>>> The latter has a patch from Steven Chamberlain :)
>>>
>> Steven's patch is basically what we've done in our implementation:
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=816439;filename=linux-grsec_4.6.3-1%2Bgrsec201607062159%2B1.debdiff;msg=34
>>
>> Thanks, it can be work out that way.
>>
> 
> I'm not sure of the security implications of the RANDSTRUCT and the attacks they want to defend against, but it might be worth using the SHA256 sum of the whole debian/changelog file - or even more files, depending on how much extra time you're prepared to have the build take.
> 
> This may prevent or make it harder, for attackers to predict values *in advance* and calculate rainbow tables or some similar thing to attack RANDSTRUCT stuff with. Again, I'm guessing here as I don't know the details, but I don't see that what I suggested would cause any harm, only potential benefit.
> 

SHA512 even, there's no reason to use a shorter one here I think.

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git


More information about the rb-general mailing list