fix: add security hardening flags to build process

[18202781743]

1. Added DEB_BUILD_MAINT_OPTIONS with hardening=+all
2. Appended security flags to C/CXX compilers (-fstack-protector-all,
   -Wall)
3. Added linker security flags (RELRO, NOW, noexecstack, -E)
4. These changes improve binary security by enabling various protections
   against common vulnerabilities

fix: 在构建过程中添加安全加固标志

1. 添加了带有 hardening=+all 的 DEB_BUILD_MAINT_OPTIONS
2. 向 C/CXX 编译器追加安全标志 (-fstack-protector-all, -Wall)
3. 添加了链接器安全标志 (RELRO, NOW, noexecstack, -E)
4. 这些更改通过启用针对常见漏洞的各种保护来提高二进制安全性

Summary by Sourcery

Enable security hardening in the Debian build by configuring maintainer options and adding compiler and linker flags to strengthen binary protections.

Enhancements:

• Append -fstack-protector-all and -Wall to C/C++ compilation flags
• Add RELRO, NOW, noexecstack, and -E flags to the linker for enhanced security

Build:

• Set DEB_BUILD_MAINT_OPTIONS to hardening=+all in Debian build configuration

[github-actions]

Warning

[Debian检查]

• 检测到debian目录文件有变更: debian/rules

• 检测到敏感词export变动

详情

    {
    "export": {
        "debian/rules": {
            "b": [
                "export DEB_BUILD_MAINT_OPTIONS = hardening=+all",
                "export DEB_CFLAGS_MAINT_APPEND = -fstack-protector-all -Wall",
                "export DEB_CXXFLAGS_MAINT_APPEND = -fstack-protector-all -Wall",
                "export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E"
            ]
        }
    }
}

[sourcery-ai]

Reviewer's Guide

This PR enhances the Debian package build process by injecting comprehensive hardening options and security flags into the compiler and linker invocations via updates to debian/rules.

File-Level Changes

Change	Details	Files
Enable full hardening during package build	Set DEB_BUILD_MAINT_OPTIONS to include hardening=+all Export DEB_BUILD_MAINT_OPTIONS in the build environment	debian/rules
Append security and warning flags to compilers	Add -fstack-protector-all to CFLAGS and CXXFLAGS Add -Wall to CFLAGS and CXXFLAGS	debian/rules
Inject linker hardening flags	Add RELRO and NOW via -Wl,-z,relro and -Wl,-z,now Enable no-execute stack using -Wl,-z,noexecstack Expose symbols table with -Wl,-E	debian/rules

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @18202781743 - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

Warning

[Debian检查]

• 检测到debian目录文件有变更: debian/rules

• 检测到敏感词export变动

详情

    {
    "export": {
        "debian/rules": {
            "b": [
                "export DEB_BUILD_MAINT_OPTIONS = hardening=+all",
                "export DEB_CFLAGS_MAINT_APPEND = -Wall",
                "export DEB_CXXFLAGS_MAINT_APPEND = -Wall",
                "export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E"
            ]
        }
    }
}

[deepin-ci-robot]

deepin pr auto review

关键摘要:

• 在debian/rules文件中添加了安全编译参数，这是一个好的做法，有助于提高软件的安全性。

是否建议立即修改:

• 否，当前提交的改动是合理的，没有发现需要立即修改的问题。但是，建议进行以下额外的检查和改进：

1. 文档和注释：建议在添加的编译参数前添加注释，说明这些参数的目的和作用，以便其他开发者理解这些改动。
2. 兼容性检查：确保这些编译参数与项目的其他部分兼容，并且不会引入任何编译错误或性能问题。
3. 测试：在合并这些改动之前，应该在开发环境中进行充分的测试，确保这些改动不会影响现有功能。

其他建议:

• 考虑在debian/control文件中添加相应的文档，说明这些编译参数的用途，以便用户和开发者了解。
• 如果项目有持续集成/持续部署（CI/CD）流程，确保这些改动不会破坏现有的自动化构建和部署流程。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, mhduiy

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment