Boost logo

Boost :

Subject: Re: [boost] Enabling spectre mitigation in boost libraries
From: John Maddock (jz.maddock_at_[hidden])
Date: 2019-04-06 16:46:30


On 05/04/2019 00:52, Riff J via Boost wrote:
> Hi everyone,
>
> I am a developer from Microsoft and currently using boost in our project.
> We recently get noticed by our security team, that the boost library we
> use, are not compiled with spectre mitigation (/Qspectre) enabled. Since
> boost is super powerful, it might not be a good idea to write our own or
> maintain our own version, so we are reaching out for help. Could anyone
> please help see if we could enable /Qspectre option in the official build
> of boost?

We tend to use default compiler flags for official builds, but it's
relatively easy for you to build Boost with whatever other flags you may
want:

cd boost-root-dir

bootstrap

b2 --build-type=complete cxxflags=-Qspectre

Will build the libraries with the latest installed msvc version and the
/Qspectre flag enabled.  And of course for header only libraries you
don't need to do anything at all anyway.

One thing we could look at for future releases would be to provide
differently-named binaries for /Qspectre.  Anyone else have thoughts on
that?

HTH, John.

>
> And here is the vcblog about the spectre mitigation, if anyone is
> interested:
> https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/
> .
>
> And since this is the first time I use this mail list, please let me know,
> if I didn't use it correctly or anything I should pay attention to.
>
> Thanks a lot,
> Riff
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk