From: Nate Ohlson Date: Thu, 8 Aug 2024 19:35:00 +0000 (-0500) Subject: gh-112301: Update documentation for configure options (``--disable-safety`` and ... X-Git-Tag: v3.14.0a1~830 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aab18f4d925528c2cbe4625211bf904db2a28317;p=thirdparty%2FPython%2Fcpython.git gh-112301: Update documentation for configure options (``--disable-safety`` and ``--enable-slower-safety``) (#122758) Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> --- diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 6a4a52bb6e8b..e00d1ee3e716 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -909,19 +909,32 @@ Security Options .. option:: --disable-safety - Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. + Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead. If this option is not enabled, CPython will be built based on safety compiler options with no slow down. + When this option is enabled, CPython will not be built with the compiler options listed below. - .. _OpenSSF: https://openssf.org/ + The following compiler options are disabled with :option:`!--disable-safety`: + + * `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows. + * `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks. + + .. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md + .. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows + .. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks .. versionadded:: 3.14 .. option:: --enable-slower-safety - Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. + Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead. If this option is not enabled, CPython will not be built based on safety compiler options which performance impact. + When this option is enabled, CPython will be built with the compiler options listed below. + + The following compiler options are enabled with :option:`!--enable-slower-safety`: + + * `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. - .. _OpenSSF: https://openssf.org/ + .. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows .. versionadded:: 3.14