Source: fmtlib Version: 4.0.0+ds-1 Severity: normal X-Debbugs-CC: wen...@gmail.com
Hello there, Thank you for packaging fmtlib4 in Debian. I am packaging fcitx5 [1] into Debian inside pkg-ime team, which uses the header-only target of fmtlib. Your patch seems to have removed it explicitly. Forwarded issue report: https://github.com/fcitx/fcitx5/issues/5 I saw that your recommendation is to use the static library provided. I think that may not be best practice. As you might already know, Debian don't really recommend using static libraries. Especially after the beginning of hardening efforts in Debian [2], using static libraries while building hardened binaries will encounter problem that the static library is not built with -fPIC. This is the current case for fcitx5 using fmtlib. As suggested in [2], there are three possible solutions: 1: remove the patch of removing header-only targets 2: build with -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE. Note that there are already some existing discussions floating around [3] [4] . 3: create a new binary package providing shared library. Hope we could solve this problem soon. Regards, Boyuan Yang [1] https://github.com/fcitx/fcitx5 [2] https://wiki.debian.org/Hardening [3] https://lists.debian.org/debian-devel/2016/05/msg00309.html [4] https://lists.debian.org/debian-gcc/2016/10/msg00183.html
signature.asc
Description: This is a digitally signed message part.
