[Bug 2108968] Re: Enable -fzero-init-padding-bits=all, -Wbidi-chars=any
Julian Andres Klode
2108968 at bugs.launchpad.net
Wed Sep 17 07:30:16 UTC 2025
We likely have to postpone the changes for dpkg to the next release
cycle as we need to prioritize work on coreutils over the visuals of our
build logs and ease of disabling these options (which so far nobody has
asked for).
The former would have been easy and is what I had planned for, but doko
specifically requested the ability to also disable these flags via build
options and that requires significantly more effort.
The next steps here are to come up with flag names and propose them to
debian-dpkg and get a consensus before moving forward with implementing
them. The initial patch can be found in
https://git.launchpad.net/~juliank/ubuntu/+source/dpkg/commit/?id=3ebdfb178dd9498c34a1095e5cbe474b0faf6d4e
but my conversation with doko suggests these need to move to Debian.pm
or some more stuff is needed there to register the flags (hence why it
needs coordinating).
Also without coordination it would only be usable in Ubuntu deltas,
which would incur more overhead if anyone actually used the option.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2108968
Title:
Enable -fzero-init-padding-bits=all, -Wbidi-chars=any
Status in dpkg package in Ubuntu:
Confirmed
Status in gcc-15 package in Ubuntu:
Fix Released
Bug description:
Hello, please consider this *untested* debdiff that I hope would
enable -fzero-init-padding-bits=all and -Wbidi-chars=any in the
Ubuntu-specific GCC specs.
The first option, -fzero-init-padding-bits=all, is asking the compiler
to zero out bits in unions and structs. GCC 15 moved to a more
standards-compliant implementation
https://gcc.gnu.org/gcc-15/changes.html -- we could bring back the GCC
14 behavior with -fzero-init-padding-bits=unions but the option of
zeroing even the unused padding bits is available to us now, I believe
we should use it. https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-
Options.html#index-fzero-init-padding-bits_003dvalue
The second option, -Wbidi-chars=any, brings no runtime security
benefits. Instead, it will log instances of potentially malicious use
of Unicode bidirectional characters that can mask malicious code from
human inspection. I hope some day we could scrape the logs to discover
abuse. https://best.openssf.org/Compiler-Hardening-Guides/Compiler-
Options-Hardening-Guide-for-C-and-C++#enable-warnings-for-possibly-
misleading-unicode-bidirectional-control-characters
https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wbidi-
chars_003d
I tried to introduce -fhardened (
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2080267 ,
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
Hardening-Guide-for-C-and-C++#enable-pre-determined-set-of-hardening-
options-in-gcc ) but ran into significant problems. We should have a
conversation about it. I was really hoping -fhardened could address
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989 -- and I
think it would -- but the -Whardened warning messages (
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-
Hardening-Guide-for-C-and-C++#additional-considerations-6 ) are
obnoxious enough that we can't possibly ship the implementation that I
came up with.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2108968/+subscriptions
More information about the foundations-bugs
mailing list