> While sill a long way Reproducible builds might pose a problem for a Grsec > kernel when CONFIG_GRKERNSEC_RANDSTRUCT is set to 'y' because this feature > randomizes kernel symbols and structures during compilation and is not meant > to be the same. For a publicly distributed kernel binary this feature does > not provide any protection anyhow because these addresses are already known. > This feature will need to be disabled for full compatibility with > reproducible build systems.
Just FYI, the @grsecurity account tweeted the following today: Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is actually compatible with reproducible builds, just need to keep randomize_layout_seed.h. https://twitter.com/grsecurity/status/704869584218685440 No idea how relevant this is for reproducible builds in Debian. Just relaying it. Ciao, -d