Skip to content

gh-112301: Update disable safety and enable slow safety configure options documentation #122758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AA-Turner merged 3 commits into from
Aug 8, 2024
Merged

gh-112301: Update disable safety and enable slow safety configure options documentation #122758

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f33e964
Update disable safety and enable slow safety options in docs
nohlson Aug 6, 2024
67f3faf
Make option names the link
nohlson Aug 6, 2024
6875a68
Re-word some sentences for clarity
nohlson Aug 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions Doc/using/configure.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -911,17 +911,31 @@ Security Options

Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
Copy link
Copy Markdown
Member

@AA-Turner AA-Turner Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead.

Copy link
Copy Markdown
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expanded link text

If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
When this option is enabled, CPython will not be built with the compiler options listed below.

.. _OpenSSF: https://openssf.org/
Compiler options that are disabled with this option:
Copy link
Copy Markdown
Member

@AA-Turner AA-Turner Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Compiler options that are disabled with this option:
The following compiler options are disabled with :option:`!--disable-safety`:

Copy link
Copy Markdown
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-worded sentence


* `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows.
* `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks.

.. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
Copy link
Copy Markdown
Member

@AA-Turner AA-Turner Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
.. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md

Copy link
Copy Markdown
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed link text

.. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows
.. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks

.. versionadded:: 3.14

.. option:: --enable-slower-safety

Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
Copy link
Copy Markdown
Member

@AA-Turner AA-Turner Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead.

Copy link
Copy Markdown
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expanded link text

If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
When this option is enabled, CPython will be built with the compiler options listed below.

Compiler options that are enabled with this option:
Copy link
Copy Markdown
Member

@AA-Turner AA-Turner Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Compiler options that are enabled with this option:
The following compiler options are enabled with :option:`!--enable-slower-safety`:

Copy link
Copy Markdown
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-worded sentence


* `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows.

.. _OpenSSF: https://openssf.org/
.. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
Copy link
Copy Markdown
Member

@AA-Turner AA-Turner Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need to (and shouldn't) redefine link targets in the same document

Suggested change
.. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md

Copy link
Copy Markdown
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed superfluous link

.. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows

.. versionadded:: 3.14

Expand Down