Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

gh-112301: Update documentation for configure options (``--disable-safety`` and ``--enable-slower-safety``) (#122758) 

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
This commit is contained in:
Nate Ohlson 2024-08-08 14:35:00 -05:00 committed by GitHub
parent 2037d8cbae
commit aab18f4d92
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Doc/using/configure.rst
View File

@ -909,19 +909,32 @@ Security Options
.. option:: --disable-safety
Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead.
If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
When this option is enabled, CPython will not be built with the compiler options listed below.
.. _OpenSSF: https://openssf.org/
The following compiler options are disabled with :option:`!--disable-safety`:
* `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows.
* `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks.
.. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
.. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows
.. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks
.. versionadded:: 3.14
.. option:: --enable-slower-safety
Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead.
If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
When this option is enabled, CPython will be built with the compiler options listed below.
.. _OpenSSF: https://openssf.org/
The following compiler options are enabled with :option:`!--enable-slower-safety`:
* `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows.
.. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows
.. versionadded:: 3.14