diff options
| author | Nate Ohlson <nohlson@purdue.edu> | 2024-08-08 19:35:00 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-08 19:35:00 (GMT) |
| commit | aab18f4d925528c2cbe4625211bf904db2a28317 (patch) | |
| tree | 7dc690a5b14d0c3de2ab0aa3b5c1f36add3618a7 | |
| parent | 2037d8cbaea4aed7000e3265113814657a9aea54 (diff) | |
| download | cpython-aab18f4d925528c2cbe4625211bf904db2a28317.zip cpython-aab18f4d925528c2cbe4625211bf904db2a28317.tar.gz cpython-aab18f4d925528c2cbe4625211bf904db2a28317.tar.bz2 | |
gh-112301: Update documentation for configure options (``--disable-safety`` and ``--enable-slower-safety``) (#122758)
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
| -rw-r--r-- | Doc/using/configure.rst | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 6a4a52b..e00d1ee 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -909,19 +909,32 @@ Security Options .. option:: --disable-safety - Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. + Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead. If this option is not enabled, CPython will be built based on safety compiler options with no slow down. + When this option is enabled, CPython will not be built with the compiler options listed below. - .. _OpenSSF: https://openssf.org/ + The following compiler options are disabled with :option:`!--disable-safety`: + + * `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows. + * `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks. + + .. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md + .. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows + .. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks .. versionadded:: 3.14 .. option:: --enable-slower-safety - Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. + Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead. If this option is not enabled, CPython will not be built based on safety compiler options which performance impact. + When this option is enabled, CPython will be built with the compiler options listed below. + + The following compiler options are enabled with :option:`!--enable-slower-safety`: + + * `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. - .. _OpenSSF: https://openssf.org/ + .. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows .. versionadded:: 3.14 |