All environment variables are promoted to MSBuild properties, so if you "set IncludeSSL=false" before building then it will show up (which is exactly how the proposed patch is getting CFLAGS in).

Unfortunately, batch file argument parsing is pretty horrid. I'd be happy to move to PowerShell based scripts, but that'll be asking a lot of some people, and probably isn't feasible for the existing buildbots.

Another concern about using CFLAGS is people ending up with broken builds because they had something else set in there - mostly because it's near impossible to diagnose remotely.

If we call it PY_CFLAGS< move it to pyproject.props, and require "$(BuildForRelease) != 'true'", then I'm fine with it. (The last condition ensures that official release builds via Tools\msi\buildrelease.bat will never be affected, and gives a fairly strong indication not to rely on implicit settings like this. Defaults that we need for actual releases should be integrated properly.)