On 07.04.19 16:10, degski via Boost wrote:
The best way to drive a bicycle is obviously with side-wheels, a helmet on, knee paddings and to never leave your drive-way. Once the [a] lib is compiled with Spectre-Mitigations, there is no way of "turning it off". In reality the problem is highly hypothetical as most (Windows) Boost users seem to prefer to use out-dated compilers [and out-dated Boost for that matter] and will not [be able to] use these spectre-mitigated-libs anyway.
Yes, I think we're all aware that any heuristic can lead to absurdity when taken to the extreme. We're also all aware that lots of code is shipped with serious security flaws, so clearly a lot of programmers are erring on the side of "not enough security". Like I said, I'm mostly neutral on the issue of whether spectre mitigation should be turned on by default or not. I just find it strange that someone from Microsoft should complain about Boost being compiled with the compiler options that someone else at Microsoft decided to make the default options for that compiler. From an outsider perspective, it looks like a case of the right hand not knowing what the left hand is doing. -- Rainer Deyke (rainerd@eldwood.com)