8000 gh-121996: Introduce --disable-safty and --enable-slower-safty · corona10/cpython@8455a0f · GitHub
[go: up one dir, main page]
Skip to content

Commit 8455a0f

Browse files
corona10corona10
committed
pythongh-121996: Introduce --disable-safty and --enable-slower-safty
1 parent 7b36b67 commit 8455a0f

File tree

4 files changed

+89
-6
lines changed

4 files changed

+89
-6
lines changed

Doc/using/configure.rst

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -907,6 +907,25 @@ Security Options
907907
The settings ``python`` and *STRING* also set TLS 1.2 as minimum
908908
protocol version.
909909

910+
.. option:: --disable-safty
911+
912+
Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
913+
If this option is not enabled, CPython will be built based on safty compiler options with no slow down.
914+
915+
.. _OpenSSF: https://openssf.org/
916+
917+
.. versionadded:: 3.14
918+
919+
.. option:: --enable-slower-safty
920+
921+
Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
922+
If this option is not enabled, CPython will not be built based on safty compiler options which performance impact.
923+
924+
.. _OpenSSF: https://openssf.org/
925+
926+
.. versionadded:: 3.14
927+
928+
910929
macOS Options
911930
-------------
912931

Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Introduce ./configure --disable-safty and --enable-slower-safty options.
2+
Patch by Donghee Na.

configure

Lines changed: 46 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

configure.ac

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2458,9 +2458,28 @@ AS_VAR_IF([with_strict_overflow], [yes],
24582458

24592459
# Enable flags that warn and protect for potential security vulnerabilities.
24602460
# These flags should be enabled by default for all builds.
2461-
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
2462-
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
2463-
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
2461+
2462+
AC_MSG_CHECKING([for --disable-safty])
2463+
AC_ARG_ENABLE([safty],
2464+
[AS_HELP_STRING([--disable-safty], [disable usage of the security compiler options with no performance overhead])],
2465+
[AS_VAR_IF([enable_safty], [yes], [disable_safty=no], [disable_safty=yes])], [disable_safty=no])
2466+
AC_MSG_RESULT([$disable_safty])
2467+
2468+
if test "$disable_safty" = "no"
2469+
then
2470+
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
2471+
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
2472+
fi
2473+
2474+
AC_MSG_CHECKING([for --enable-slower-safty])
2475+
AC_ARG_ENABLE([slower-safty],
2476+
[AS_HELP_STRING([--enable-slower-safty], [enable usage of the security compiler options with performance overhead])],[])
2477+
AC_MSG_RESULT([$enable_slower_safty])
2478+
2479+
if test "$enable_slower_safty" = "yes"
2480+
then
2481+
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
2482+
fi
24642483

24652484
case $GCC in
24662485
yes)

0 commit comments

Comments
 (0)
0