Subject: Re: [boost] Enabling spectre mitigation in boost libraries
From: Riff J (r12f.code_at_[hidden])
Date: 2019-04-06 19:46:39
Thank you all so much for helping looking into this! As the spectre
and meltdown vulnerabilities are widely impacted everywhere, I believe
there will be other people also need this. Having a pre-build binary
release should be a good thing in general.
On Sat, Apr 6, 2019 at 9:46 AM John Maddock via Boost
> One thing we could look at for future releases would be to provide
> differently-named binaries for /Qspectre. Anyone else have thoughts on
For the name, how about spct or spectre or meltdown, since both s and
md might not be good ideas?
On Sat, Apr 6, 2019 at 10:31 AM Andrey Semashev via Boost
> I don't think replacing built binaries with Spectre-protected ones is
> what we want, but adding them as an option might be possible. However,
> doubling the number of configurations of the built libraries would be
> too taxing. E.g. one package of Boost 1.69 (which corresponds to one
> version of MSVC at one bitness) is already 200-250 MiB, and that would
> have to double for the newer MSVC versions that support the flag. If
> we're going to package these binaries, maybe we should package them
I do agree the package size is large today. If possible, I wonder if
we could try splitting the package with different types of run time
library, which might cut the each package size by ~4x. I believe most
of people don't mix the use of run time libraries, as you will run
into link errors, so it should not add too much burden to everyone.
And for our project, we are now managing all the dependencies with
nuget, e.g. boost.filesystem with vc141:
https://www.nuget.org/packages/boost_filesystem-vc141/. With this
approach, we can greatly reduce the binaries we need to download.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk