gh-112301: Update documentation for configure options (``--disable-safety`` and ...

author Nate Ohlson <nohlson@purdue.edu>

Thu, 8 Aug 2024 19:35:00 +0000 (14:35 -0500)

committer GitHub <noreply@github.com>

Thu, 8 Aug 2024 19:35:00 +0000 (20:35 +0100)
author Nate Ohlson <nohlson@purdue.edu>
Thu, 8 Aug 2024 19:35:00 +0000 (14:35 -0500)
committer GitHub <noreply@github.com>
Thu, 8 Aug 2024 19:35:00 +0000 (20:35 +0100)
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst

index 6a4a52bb6e8b12035820a78c9a56aa2a33ec8ce7..e00d1ee3e716e703ef7f2c820b94d043c62c6814 100644 (file)
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
@@ -909,19 +909,32 @@ Security Options
  
  .. option:: --disable-safety
  
-   Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
+   Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead.
     If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
+   When this option is enabled, CPython will not be built with the compiler options listed below.
  
-   .. _OpenSSF: https://openssf.org/
+   The following compiler options are disabled with :option:`!--disable-safety`:
+
+   * `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows.
+   * `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks.
+
+   .. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
+   .. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows
+   .. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks
  
     .. versionadded:: 3.14
  
  .. option:: --enable-slower-safety
  
-   Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
+   Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead.
     If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
+   When this option is enabled, CPython will be built with the compiler options listed below.
+
+   The following compiler options are enabled with :option:`!--enable-slower-safety`:
+
+   * `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows.
  
-   .. _OpenSSF: https://openssf.org/
+   .. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows
  
     .. versionadded:: 3.14
author	Nate Ohlson <nohlson@purdue.edu>
	Thu, 8 Aug 2024 19:35:00 +0000 (14:35 -0500)
committer	GitHub <noreply@github.com>
	Thu, 8 Aug 2024 19:35:00 +0000 (20:35 +0100)