pythongh-121996: Introduce configure --disable-openssf-guide

corona10 · corona10 · commit 70bba417f22d · 2024-07-19T10:22:41.000+09:00
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst
@@ -907,6 +907,15 @@ Security Options
       The settings ``python`` and *STRING* also set TLS 1.2 as minimum
       protocol version.
 
+.. option:: --disable-openssf-guide=[yes|no|default=no]
+
+   Disable compiler options that are recommended by `OpenSSF`_ for security reasons.
+
+   .. _OpenSSF: https://openssf.org/
+
+   .. versionadded:: 3.14
+
+
 macOS Options
 -------------
 
diff --git a/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst
@@ -0,0 +1 @@
+Introduce ./configure --disable-openssf-guide option. Patch by Donghee Na.
diff --git a/configure b/configure
diff --git a/configure.ac b/configure.ac
@@ -2458,9 +2458,19 @@ AS_VAR_IF([with_strict_overflow], [yes],
 
 # Enable flags that warn and protect for potential security vulnerabilities.
 # These flags should be enabled by default for all builds.
-AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
-AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
-AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
+
+AC_MSG_CHECKING([for --disable-openssf-guide])
+AC_ARG_ENABLE([openssf_guide],
+  [AS_HELP_STRING([--disable-openssf-guide], [disable usage of the security compiler options (default is no)])],
+  [AS_VAR_IF([enable_openssf_guide], [yes], [disable_openssf_guide=no], [disable_openssf_guide=yes])], [disable_openssf_guide=no])
+AC_MSG_RESULT([$disable_openssf_guide])
+
+if test "$disable_openssf_guide" = "no"
+then
+  AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
+  AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
+  AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
+fi
 
 case $GCC in
 yes)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Introduce ./configure --disable-openssf-guide option. Patch by Donghee Na.`