Subject: Re: [boost] Enabling spectre mitigation in boost libraries
From: Rainer Deyke (rainerd_at_[hidden])
Date: 2019-04-07 16:10:55
On 07.04.19 16:10, degski via Boost wrote:
> The best way to drive a bicycle is obviously with side-wheels, a helmet on,
> knee paddings and to never leave your drive-way. Once the [a] lib is
> compiled with Spectre-Mitigations, there is no way of "turning it off". In
> reality the problem is highly hypothetical as most (Windows) Boost users
> seem to prefer to use out-dated compilers [and out-dated Boost for that
> matter] and will not [be able to] use these spectre-mitigated-libs anyway.
Yes, I think we're all aware that any heuristic can lead to absurdity
when taken to the extreme. We're also all aware that lots of code is
shipped with serious security flaws, so clearly a lot of programmers are
erring on the side of "not enough security".
Like I said, I'm mostly neutral on the issue of whether spectre
mitigation should be turned on by default or not. I just find it
strange that someone from Microsoft should complain about Boost being
compiled with the compiler options that someone else at Microsoft
decided to make the default options for that compiler. From an outsider
perspective, it looks like a case of the right hand not knowing what the
left hand is doing.
-- Rainer Deyke (rainerd_at_[hidden])
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk