8000 gh-112301: Update documentation for configure options (``--disable-sa… · python/cpython@aab18f4 · GitHub
[go: up one dir, main page]

Skip to content

Commit aab18f4

Browse files
nohlsonAA-Turner
andauthored
gh-112301: Update documentation for configure options (--disable-safety and --enable-slower-safety) (#122758)
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
1 parent 2037d8c commit aab18f4

File tree

1 file changed

+17
-4
lines changed

1 file changed

+17
-4
lines changed

Doc/using/configure.rst

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -909,19 +909,32 @@ Security Options
909909

910910
.. option:: --disable-safety
911911

912-
Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
912+
Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead.
913913
If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
914+
When this option is enabled, CPython will not be built with the compiler options listed below.
914915

915-
.. _OpenSSF: https://openssf.org/
916+
The following compiler options are disabled with :option:`!--disable-safety`:
917+
918+
* `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows.
919+
* `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks.
920+
921+
.. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
922+
.. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows
923+
.. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks
916924

917925
.. versionadded:: 3.14
918926

919927
.. option:: --enable-slower-safety
920928

921-
Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
929+
Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead.
922930
If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
931+
When this option is enabled, CPython will be built with the compiler options listed below.
932+
933+
The following compiler options are enabled with :option:`!--enable-slower-safety`:
934+
935+
* `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows.
923936

924-
.. _OpenSSF: https://openssf.org/
937+
.. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows
925938

926939
.. versionadded:: 3.14
927940

0 commit comments

Comments
 (0)
0