Your message dated Thu, 16 Oct 2025 18:50:04 +0000
with message-id <[email protected]>
and subject line Bug#1111540: fixed in fltk1.4 1.4.4-1
has caused the Debian Bug report #1111540,
regarding libfltk1.4: uses private implementation details of libdecor which
might regress with new versions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111540
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libfltk1.4
Version: 1.4.3-1
Severity: normal
Tags: upstream
X-Debbugs-Cc: [email protected]
libdecor has two sets of interfaces:
- a public API for use by libraries like SDL and FLTK, with symbols
declared in <libdecor.h>;
- a private interface for use by libdecor's Cairo and GTK plugins, with
symbols declared in "libdecor-plugin.h"
The public API is API- and ABI-stable, is available by including
<libdecor.h> from libdecor-0-dev, and in the Debian packaging we've
set it to generate dependencies like "libdecor-0-0 (>= 0.1.0)" in the
usual way.
The plugin interface is not stable, and I believe upstream's position is
that it may change at any time (like many projects they only support
in-tree plugins, not out-of-tree plugins, to keep the size of their
stable API under control). The key clue that it is not a stable
interface is that libdecor-plugin.h is not installed. To ensure that
libdecor plugins get the correct dependency relationship with libdecor,
in the Debian packaging we've set the private symbols to generate
lockstep dependencies like "libdecor-0-0 (= 0.2.3-1)" if used.
However, it turns out that FLTK does call some of the private functions,
specifically libdecor_frame_get_content_height() and
libdecor_frame_get_content_width() called from
src/drivers/Wayland/Fl_Wayland_Window_Driver.cxx. It gets access to
their declarations by having a vendored copy of libdecor, and using the
libdecor-plugin.h from there. This is dangerous: the declarations in the
vendored libdecor do not necessarily have anything to do with the system
libdecor! For instance, if upstream changed the content width and height
parameters from int to size_t for whatever reason, FLTK would be calling
the function with the wrong ABI, leading to memory corruption.
If FLTK needs to call those two functions for whatever reason, the way
to do this correctly would be to talk to libdecor upstream and arrange
for them to be added to the stable public API in <libdecor.h> in a
future release, and then depend on at least that version.
I think the signature of those two functions is unlikely to change in
practice, so for now I'll set those two functions to generate ordinary
(>=) dependencies and ask the release team to binNMU FLTK, so that
libdecor can migrate to testing. However, before doing that, I wanted to
have a bug report open to say that I consider this to be unsupported and
a regression risk.
smcv
--- End Message ---
--- Begin Message ---
Source: fltk1.4
Source-Version: 1.4.4-1
Done: Aaron M. Ucko <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fltk1.4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aaron M. Ucko <[email protected]> (supplier of updated fltk1.4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 16 Oct 2025 14:30:20 -0400
Source: fltk1.4
Architecture: source
Version: 1.4.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FLTK Ecosystem Team <[email protected]>
Changed-By: Aaron M. Ucko <[email protected]>
Closes: 1111540 1112001 1112923 1114104
Changes:
fltk1.4 (1.4.4-1) unstable; urgency=medium
.
[ Alexandre Detiste ]
* Update Vcs-* urls.
* Drop "Rules-Requires-Root: no": it is the new default.
.
[ Aaron M. Ucko ]
* New upstream release. (NOT RELEASED YET.)
* debian/FLTK-Targets-none-tail.cmake: Never insist on fltk::options.
* debian/control:
- Build-Depends-Indep: Add texlive-fonts-{extra,recommended}
and texlive-pictures, collectively needed for new Unicode character
declarations.
- Reflect the move to the new Debian FLTK Ecosystem Team (albeit with
myself as the only uploader, at least for now).
- Reformat via "cme fix dpkg-control" (routine-update).
* debian/fix-fltk-targets: Drop extraneous *-shared executable stanzas
(including all games') rather than mistaking them for shared
libraries' (or even ignoring them). (Closes: #1112001.)
* debian/libfltk1.4.symbols.common: Add the one new symbol.
* documentation/CMakeLists.txt: Account for the new latex-extras.sty
(nominally configurable so a copy ends up in the build tree).
* documentation/Doxyfile.in: Use it.
* documentation/latex-extras.sty (new):
- Supply a fallback definition of \insert@pcolumn based on the
traditional (late 1980s-2023) definition of \insert@column to work
around an incompatibility (#1114077) between the old version of
array.sty Doxygen's preserved copy of archaic tabu.sty requires and
other portions of TeX Live 2025. (Closes: #1112923, #1114104.)
- Ensure LaTeX knows what to make of all Unicode characters in the
input.
.
[ Manolo Gouy ]
* src/drivers/wayland/Fl_Wayland_Window_Driver.cxx: Stop calling
non-public libdecor_frame_get_content_{width,height}.
(Closes: 1111540.)
Checksums-Sha1:
143e29ff00c1e15d2e1007e5a30178e17cd55306 3274 fltk1.4_1.4.4-1.dsc
e30b11c685db25809808c1bea45b458b947d0905 9285702 fltk1.4_1.4.4.orig.tar.gz
d483bea1dea332303a5020c12044395d2f2aaf2c 67784 fltk1.4_1.4.4-1.debian.tar.xz
Checksums-Sha256:
65ba14cada5181acbcc1f867e6a20a9e4f6c1db397c72af4ad046cf7952a0f3f 3274
fltk1.4_1.4.4-1.dsc
94b464cce634182c8407adac1be5fc49678986ca93285699b444352af89b4efe 9285702
fltk1.4_1.4.4.orig.tar.gz
cb0c156960e33954ba060baeef78b10d7c34c3fe491214b23460706513c4509c 67784
fltk1.4_1.4.4-1.debian.tar.xz
Files:
894ddd4753c538862b072a34f12afe51 3274 libs optional fltk1.4_1.4.4-1.dsc
83c567727e61c779f6681b0298226d05 9285702 libs optional
fltk1.4_1.4.4.orig.tar.gz
fe236c701d412a9ec30dd59f66523c6b 67784 libs optional
fltk1.4_1.4.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfDq5z9IwvTDdAJxZHnCRsfFKZKIFAmjxOj4ACgkQHnCRsfFK
ZKIpIg/+L3HZuLr5Iv2Eg+QbFYvQyJxdk70tHTBEKt85xt+2XUVU5A4ZmhGOPUCP
zezhCw88NSwU9sXfe7lsczPBeoOyr+OHakTvKJvdRYV12Psd1rkFibs8ERVoAbV/
c319Fn+VCiiXITdAOirjAzT6scOkKH6xXnUvKcaV6SeLgNFqRAMZlPM49Nb+ypwA
KU1o2tAw6Xy2Ub35VO4CO8FIEKiw2VDJbgngaFpwq8ORp05LkO1ycOM/Bz+Qjhkt
zb6KfWEWibgyESglah9QVrJInDVWUFHnTJjfJBDOxDiO3BoLfjYVBH60QWOWQg94
7nf5shfasS2VS+jgLhf1pxJ7xdXRkmI7UdBl3yYd6jH8SGwi6rBe4rw4+cBq1fOE
mhk/mGgjVr0s358eFzwIePYwZ6f6eAoPqstr5MXJ0aaLXZtcRVfFz+XkhwwZ79Dr
mKy5mMVW59pyaIlYcG+NtSHh+J9KU7p8EcFOZLPB258FnhD0DuZdyQdvLeM5swxq
PQ5WfCmv6lg8pyvoGFGq+ZIoU4sZTluHDEzGvWmIyRXV5uMpkNY7XRTcBEtndmZ8
V1ptLfNzsaXcq+lLYiYCxutl+oDv1WLyX6P+NPqE+7pXeagpez3dABO3EIAVAqqu
ujy56RIu6LdO1k9t8HAImCm+yFPDPuYM5sbLrCiXwut8CNzfUpA=
=AjCR
-----END PGP SIGNATURE-----
pgp6gZuXpwLxk.pgp
Description: PGP signature
--- End Message ---
