search

ossf / wg-best-practices-os-developers

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
https://openssf.org
Apache License 2.0
776 stars 133 forks source link

Add -D_LIBCPP_ENABLE_HARDENED_MODE=1 #284

Open david-a-wheeler opened 1 year ago

david-a-wheeler commented 1 year ago

We should probably add -D_LIBCPP_ENABLE_HARDENED_MODE=1. It helps for C++ when using libc++ and the LLVM compiler. See: https://libcxx.llvm.org/Hardening.html#using-hardening-modes

thesamesam commented 1 year ago

This bug is essentially a dupe of #149. LLVM keeps changing the option name. Please see https://github.com/ossf/wg-best-practices-os-developers/issues/149#issuecomment-1783719487 in particular.

thomasnyman commented 1 year ago

Thanks @thesamesam for keeping us updated on this. We jumped the gun a bit with the deprecation notes for the older macros as we were basing this on the proposed changes to LLVM 17. Given that these and the older alternatives have been unstable in the past, I would suggest we wait with further additions to the guide until the new hardened mode becomes available in a LLVM release, hopefully with LLVM 18.0.

thomasnyman commented 3 months ago

It seems libc++ documentation has received a page on Hardening modes that seems to match the proposal from November in 2023 in the Hardening RFC.

Can anyone with more insight into the discussions around these comment on whether the documented modes can be considered stable?

thesamesam commented 3 months ago

I believe the now-documented modes aren't going to change. I can't promise that, but we haven't seen any discussions of changes, and have been using the new ones for a few releases in Gentoo now. I've also updated Meson to use them.