Hasnain says:

Great technical analysis and insight here.

“So after all this work, what did we learn?

Turning on -Ofast will end up turning on -ffast-math, and that can cause all sorts of problems for any program unlucky enough to load them.

Even if you explicitly ask for no fast math, you will still get fast math as long as -Ofast is enabled.

It is surprisingly feasible (though perhaps not wise) for a single individual with a good internet connection to download 4 TB of Python packages and scan 11 TB of shared libraries in a single day.

It is definitely not wise to try to run pip download or pip install --dry-run on every package listed in PyPI, at least not without some good sandboxing, because it will execute tons of random code from files and leave you with a giant mess to clean up.

Because of highly connected nature of the modern software supply chain, even though a mere 49 packages were actually built with -ffast-math, thousands of other packages, with a total of at least 9.7 million downloads over the past 30 days, are affected.”

Posted on 2022-09-22T05:03:13+0000