Should Python builds add `-mindirect-branch=thunk -mindirect-branch-register` to CFLAGS? Where would this be to be added in the build scripts with which architectures? /QSpectre is the MSVC build flag for Spectre Variant 1:

The /Qspectre option is available in Visual Studio 2017 version 15.7 and later.

https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017 security@ directed me to the issue tracker / lists, so I'm forwarding this to python-dev and python-ideas, as well. # Forwarded message From: *Wes Turner* Date: Wednesday, September 12, 2018 Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register To: distutils-sig Should C extensions that compile all add `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the risk of Spectre variant 2 (which does indeed affect user space applications as well as kernels)? [1] https://github.com/speed47/spectre-meltdown-checker/ issues/119#issuecomment-361432244 [2] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) [3] https://en.wikipedia.org/wiki/Speculative_Store_Bypass# Speculative_execution_exploit_variants On Wednesday, September 12, 2018, Wes Turner wrote:

...

On Wednesday, September 12, 2018, Joni Orponen wrote:

...

On Wed, Sep 12, 2018 at 8:48 PM Wes Turner wrote:

...

Should C extensions that compile all add `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the risk of Spectre variant 2 (which does indeed affect user space applications as well as kernels)?

Are those available on GCC <= 4.2.0 as per PEP 513?

AFAIU, only GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support enabled by the `-mindirect-branch=thunk -mindirect-branch-register` CFLAGS.

On Wednesday, September 12, 2018, Wes Turner wrote:

"What is a retpoline and how does it work?" https://stackoverflow.com/questions/48089426/what-is-a- retpoline-and-how-does-it-work