Bug#878070: fmtlib: Removing header-only target is causing problem
Control: retitle -1 fmtlib: static library should be compiled with -fPIC Control: tags -1 + confirmed pending Hello, On 09.10.2017 15:15, Boyuan Yang wrote: > I saw that your recommendation is to use the static library provided. I think > that may not be best practice. I agree it's not. However, fmtlib changed its major version 4 times in the last 2½ years, so considering its small size and relative unstability (so far) the package doesn't provide a shared library right now. In version 4 there are less breaking changes than before, so I'll re-evaluate whether to add a shared library later in the release cycle. > As you might already know, Debian don't really recommend using static > libraries. Especially after the beginning of hardening efforts in Debian [2], > using static libraries while building hardened binaries will encounter > problem > that the static library is not built with -fPIC. This is the current case for > fcitx5 using fmtlib. Good point. The code should be definitely built with -fPIC. Thank you for the report, will be fixed in the next upload. Regards, -- Eugene V. Lyubimkin aka JackYF C++ GNU/Linux userspace developer, Debian Developer
Bug#878070: fmtlib: Removing header-only target is causing problem
Source: fmtlib Version: 4.0.0+ds-1 Severity: normal X-Debbugs-CC: wen...@gmail.com Hello there, Thank you for packaging fmtlib4 in Debian. I am packaging fcitx5 [1] into Debian inside pkg-ime team, which uses the header-only target of fmtlib. Your patch seems to have removed it explicitly. Forwarded issue report: https://github.com/fcitx/fcitx5/issues/5 I saw that your recommendation is to use the static library provided. I think that may not be best practice. As you might already know, Debian don't really recommend using static libraries. Especially after the beginning of hardening efforts in Debian [2], using static libraries while building hardened binaries will encounter problem that the static library is not built with -fPIC. This is the current case for fcitx5 using fmtlib. As suggested in [2], there are three possible solutions: 1: remove the patch of removing header-only targets 2: build with -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE. Note that there are already some existing discussions floating around [3] [4] . 3: create a new binary package providing shared library. Hope we could solve this problem soon. Regards, Boyuan Yang [1] https://github.com/fcitx/fcitx5 [2] https://wiki.debian.org/Hardening [3] https://lists.debian.org/debian-devel/2016/05/msg00309.html [4] https://lists.debian.org/debian-gcc/2016/10/msg00183.html signature.asc Description: This is a digitally signed message part.