8000 gh-121996: Introduce --disable-safety and --enable-slower-safety opt… · python/cpython@a9bb3c7 · GitHub
[go: up one dir, main page]
Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit a9bb3c7

Browse files
corona10corona10
authored
gh-121996: Introduce --disable-safety and --enable-slower-safety options (#122054)
* gh-121996: Introduce --disable-safty and --enable-slower-safty * Update GA * fix * Address code review * Update CI
1 parent 2762c6c commit a9bb3c7

File tree

7 files changed

+93
-7
lines changed

7 files changed

+93
-7
lines changed

.github/workflows/build.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -307,7 +307,7 @@ jobs:
307307
with:
308308
save: false
309309
- name: Configure CPython
310-
run: ./configure --config-cache --with-pydebug --with-openssl=$OPENSSL_DIR
310+
run: ./configure --config-cache --enable-slower-safety --with-pydebug --with-openssl=$OPENSSL_DIR
311311
- name: Build CPython
312312
run: make -j4
313313
- name: Display build info
@@ -380,6 +380,7 @@ jobs:
380380
../cpython-ro-srcdir/configure \
381381
--config-cache \
382382
--with-pydebug \
383+
--enable-slower-safety \
383384
--with-openssl=$OPENSSL_DIR
384385
- name: Build CPython out-of-tree
385386
working-directory: ${{ env.CPYTHON_BUILDDIR }}

.github/workflows/reusable-macos.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ jobs:
5353
./configure \
5454
--config-cache \
5555
--with-pydebug \
56+
--enable-slower-safety \
5657
${{ inputs.free-threading && '--disable-gil' || '' }} \
5758
--prefix=/opt/python-dev \
5859
--with-openssl="$(brew --prefix openssl@3.0)"

.github/workflows/reusable-ubuntu.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ jobs:
6969
../cpython-ro-srcdir/configure
7070
--config-cache
7171
--with-pydebug
72+
--enable-slower-safety
7273
--with-openssl=$OPENSSL_DIR
7374
${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
7475
- name: Build CPython out-of-tree

Doc/using/configure.rst

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -907,6 +907,25 @@ Security Options
907907
The settings ``python`` and *STRING* also set TLS 1.2 as minimum
908908
protocol version.
909909

910+
.. option:: --disable-safety
911+
912+
Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
913+
If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
914+
915+
.. _OpenSSF: https://openssf.org/
916+
917+
.. versionadded:: 3.14
918+
919+
.. option:: --enable-slower-safety
920+
921+
Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
922+
If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
923+
924+
.. _OpenSSF: https://openssf.org/
925+
926+
.. versionadded:: 3.14
927+
928+
910929
macOS Options
911930
-------------
912931

Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Introduce ./configure --disable-safety and --enable-slower-safety options.
2+
Patch by Donghee Na.

configure

Lines changed: 46 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

configure.ac

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2499,9 +2499,28 @@ AS_VAR_IF([with_strict_overflow], [yes],
24992499

25002500
# Enable flags that warn and protect for potential security vulnerabilities.
25012501
# These flags should be enabled by default for all builds.
2502-
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
2503-
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
2504-
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
2502+
2503+
AC_MSG_CHECKING([for --disable-safety])
2504+
AC_ARG_ENABLE([safety],
2505+
[AS_HELP_STRING([--disable-safety], [disable usage of the security compiler options with no performance overhead])],
2506+
[AS_VAR_IF([enable_safety], [yes], [disable_safety=no], [disable_saftey=yes])], [disable_saftey=no])
2507+
AC_MSG_RESULT([$disable_safety])
2508+
2509+
if test "$disable_safety" = "no"
2510+
then
2511+
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
2512+
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
2513+
fi
2514+
2515+
AC_MSG_CHECKING([for --enable-slower-safety])
2516+
AC_ARG_ENABLE([slower-safety],
2517+
[AS_HELP_STRING([--enable-slower-safety], [enable usage of the security compiler options with performance overhead])],[])
2518+
AC_MSG_RESULT([$enable_slower_safety])
2519+
2520+
if test "$enable_slower_safety" = "yes"
2521+
then
2522+
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
2523+
fi
25052524

25062525
case $GCC in
25072526
yes)

0 commit comments

Comments
 (0)
0