Conversation
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
| set_target_properties( | ||
| power_grid_model_api_tests | ||
| PROPERTIES BUILD_RPATH $<TARGET_FILE_DIR:power_grid_model_c> | ||
| ) | ||
|
|
| "environment": { | ||
| "SANITIZER_FLAGS": "/RTC1" | ||
| }, |
There was a problem hiding this comment.
can we move this also to the CMakeLists?
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]> Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
| project(power_grid_model VERSION ${PGM_VERSION}) | ||
|
|
||
| option(PGM_ENABLE_DEV_BUILD "Enable developer build (e.g.: tests)" OFF) | ||
| option(PGM_ENABLE_HARDENING "Enable compile and link time hardening options" ON) |
There was a problem hiding this comment.
I don't think enable it by default is logical. Disable by default and only enable in the our dev preset is logical.
In the Python build we do not enable it.
There was a problem hiding this comment.
Hardening is intended to be used in production
There was a problem hiding this comment.
The hardened code self (so the adjustment to make compilation to pass with hardening check flag) is intended to be used in production. The compilation flags to check hardening are not intended to be used in production.
There was a problem hiding this comment.
From the GCC command line options (https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened)
This option is intended to be used in production builds, not merely in debug builds.
See also https://www.youtube.com/watch?v=GtYD-AIXBHk&list=PLHTh1InhhwT57vblPGsVag5MkTm_Z9-uq&index=2
There was a problem hiding this comment.
I still has huge doubt for the default. This goes against the other golden rule of open-source cmake project: make as little as needed for extra compile and link flag in the default cmake build.
Also, enabling address sanitizing for production is questionable.
We need more in-depth consideration and discussion.
There was a problem hiding this comment.
We can also let CIBW set the compiler flags for hardening
| before-all = """yum install -y gcc-toolset-14 && \ | ||
| source /opt/rh/gcc-toolset-14/enable""" |
There was a problem hiding this comment.
This should not be needed if we disable build hardening by default.
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
|
Signed-off-by: Martijn Govers <[email protected]>
Signed-off-by: Martijn Govers <[email protected]>
|
OpenSSF gold badge: apply hardening fixes from #1241 without enabling hardening itself
Cherry-picked from #1228
Investigate the possibilities of hardening
Relates to #1190