> Cc: 37852@debbugs.gnu.org, rcopley@gmail.com
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Tue, 22 Oct 2019 11:27:48 -0700
>
> > Should we perhaps test for -lssp, and if it is found, add it to the
> > link command when we define _FORTIFY_SOURCE?
>
> If this is done only on MSYS2 platforms, and if -lssp is used only when
> it causes otherwise-failing programs to work, then it should be OK. I
> wouldn't do it elsewhere because on Fedora at any rate, -lssp used to be
> trouble and was best avoided.

Right.

> It vaguely sounds like MSYS2 is trailing Fedora and so is experiencing
> problems Fedora had a few years ago (see, e.g.,
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4973>).

I actually think it's a bug in MSYS2, and hope they will fix it soon.
So perhaps we should just wait and see if the current situation, after
your patch, is good enough.

Thanks.