OK, so one of my packages shows up on this list. But I've verified that the compiler is indeed called with the proper flags in all cases, there are no instances of implicit declarations of anything (no lines matching "implicit" or "declaration" in the build log), as far as I can tell, the code does not define the problematic function (sprintf) itself, and the hostname in the URL http://ovecka.be/~lkundrak/blog/entries/fortify-check.html doesn't resolve. So what's to be done? My understanding was that we'd try to pass these flags at all times but that there's no strict guarantee that they will actually function on any particular piece of code and that we shouldn't go rewriting upstream code to make them work when there is no security exposure (as in the case of my package). - J< -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
