https://github.com/python/cpython/commit/aab18f4d925528c2cbe4625211bf904db2a28317
commit: aab18f4d925528c2cbe4625211bf904db2a28317
branch: main
author: Nate Ohlson <nohl...@purdue.edu>
committer: AA-Turner <9087854+aa-tur...@users.noreply.github.com>
date: 2024-08-08T20:35:00+01:00
summary:
gh-112301: Update documentation for configure options (``--disable-safety`` and
``--enable-slower-safety``) (#122758)
Co-authored-by: Adam Turner <9087854+aa-tur...@users.noreply.github.com>
files:
M Doc/using/configure.rst
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst
index 6a4a52bb6e8b12..e00d1ee3e716e7 100644
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
@@ -909,19 +909,32 @@ Security Options
.. option:: --disable-safety
- Disable compiler options that are recommended by `OpenSSF`_ for security
reasons with no performance overhead.
+ Disable compiler options that are `recommended by OpenSSF`_ for security
reasons with no performance overhead.
If this option is not enabled, CPython will be built based on safety
compiler options with no slow down.
+ When this option is enabled, CPython will not be built with the compiler
options listed below.
- .. _OpenSSF: https://openssf.org/
+ The following compiler options are disabled with
:option:`!--disable-safety`:
+
+ * `-fstack-protector-strong`_: Enable run-time checks for stack-based
buffer overflows.
+ * `-Wtrampolines`_: Enable warnings about trampolines that require
executable stacks.
+
+ .. _recommended by OpenSSF:
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
+ .. _-fstack-protector-strong:
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows
+ .. _-Wtrampolines:
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks
.. versionadded:: 3.14
.. option:: --enable-slower-safety
- Enable compiler options that are recommended by `OpenSSF`_ for security
reasons which require overhead.
+ Enable compiler options that are `recommended by OpenSSF`_ for security
reasons which require overhead.
If this option is not enabled, CPython will not be built based on safety
compiler options which performance impact.
+ When this option is enabled, CPython will be built with the compiler
options listed below.
+
+ The following compiler options are enabled with
:option:`!--enable-slower-safety`:
+
+ * `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks
for unsafe libc usage and buffer overflows.
- .. _OpenSSF: https://openssf.org/
+ .. _-D_FORTIFY_SOURCE=3:
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows
.. versionadded:: 3.14
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: arch...@mail-archive.com
