> “XXX” is fine here, because it may be impossible for us to fix it.
Ah ok. > I think this part should indeed be a separate patch. Also, Flex should > be ‘native-inputs’ presumably, whereas Cracklib should be in ‘inputs’. Already realized it, and pushed to core-updates as 7483230f17880c1cd50d1de53496dc1ececebbb8 25d1b3107fc7ebdc155649722fc257f4dbc4b04a and Leo already commented on a related security issue and is reverting the second commit: > For CVE-2016-6318, the disclosure message pointed out that if > cracklib is compiled without the FORTIFY_SOURCE compiler flag, the bug > can result in code execution and privilege escalation.
