> While sill a long way Reproducible builds might pose a problem for a Grsec
> kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this feature
> randomizes kernel symbols and structures during compilation and is not meant
> to be the same. For a publicly distributed kernel binary this feature does
> not provide any protection anyhow because these addresses are already known.
> This feature will need to be disabled for full compatibility with
> reproducible build systems.
Just FYI, the @grsecurity account tweeted the following today:
Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
actually compatible with reproducible builds, just need to
keep randomize_layout_seed.h.
https://twitter.com/grsecurity/status/704869584218685440
No idea how relevant this is for reproducible builds in Debian. Just
relaying it.
Ciao,
-d
