feat: add reproducible build parameter

[18202781743]

Added CMAKE_SKIP_BUILD_RPATH flag to enable reproducible builds
This change ensures that builds are reproducible by preventing the
inclusion of build-specific paths in the binary
The flag is added to DEB_CMAKE_EXTRA_FLAGS and passed to
dh_auto_configure command
This is important for package verification and security auditing

Influence:

1. Test building the package multiple times to verify reproducibility
2. Compare binary checksums from different builds
3. Verify that the package still installs and runs correctly
4. Check that no build paths are embedded in the final binaries
5. Test cross-compilation scenarios if applicable

feat: 添加可重复编译参数

添加 CMAKE_SKIP_BUILD_RPATH 标志以启用可重复编译
此更改通过防止在二进制文件中包含特定于构建的路径来确保构建的可重复性
该标志被添加到 DEB_CMAKE_EXTRA_FLAGS 并传递给 dh_auto_configure 命令
这对于软件包验证和安全审计非常重要

Influence:

1. 多次测试构建软件包以验证可重复性
2. 比较不同构建的二进制文件校验和
3. 验证软件包仍能正确安装和运行
4. 检查最终二进制文件中是否嵌入了构建路径
5. 测试交叉编译场景（如果适用）

Summary by Sourcery

Add support for reproducible Debian package builds by configuring CMake to skip embedding build-specific RPATHs in binaries.

New Features:

• Introduce a reproducible-build configuration flag to omit build-specific paths from generated binaries.

Build:

• Pass CMAKE_SKIP_BUILD_RPATH via DEB_CMAKE_EXTRA_FLAGS in debian/rules so dh_auto_configure produces reproducible binaries.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds the CMAKE_SKIP_BUILD_RPATH CMake flag to the Debian packaging rules so that dh_auto_configure is invoked with reproducible-build settings, preventing build-specific RPATHs from being embedded in generated binaries.

File-Level Changes

Change	Details	Files
Configure CMake via Debian rules to skip embedding build RPATHs, improving reproducibility of generated binaries.	Extend the DEB_CMAKE_EXTRA_FLAGS variable to include -DCMAKE_SKIP_BUILD_RPATH=ON. Ensure the updated DEB_CMAKE_EXTRA_FLAGS value is passed through to the dh_auto_configure step during package build.	debian/rules

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider scoping CMAKE_SKIP_BUILD_RPATH so it only affects the relevant build types or packages (e.g., release builds), to avoid unexpectedly changing RPATH behavior for local or debug builds that might rely on build-time RPATHs.
• If the project uses installed RPATHs, double-check whether you also need to control CMAKE_SKIP_RPATH / CMAKE_SKIP_INSTALL_RPATH or related flags in DEB_CMAKE_EXTRA_FLAGS to keep reproducibility consistent between build and installed binaries.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider scoping `CMAKE_SKIP_BUILD_RPATH` so it only affects the relevant build types or packages (e.g., release builds), to avoid unexpectedly changing RPATH behavior for local or debug builds that might rely on build-time RPATHs.
- If the project uses installed RPATHs, double-check whether you also need to control `CMAKE_SKIP_RPATH` / `CMAKE_SKIP_INSTALL_RPATH` or related flags in `DEB_CMAKE_EXTRA_FLAGS` to keep reproducibility consistent between build and installed binaries.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来对这个git diff进行审查：

1. 语法逻辑：

• 语法正确，符合debian/rules文件的格式要求
• DEB_CMAKE_EXTRA_FLAGS变量的追加和引用都符合规范

2. 代码质量：

• 添加了注释"# reproducible编译参数"，提高了代码可读性
• 修改位置合理，在export LDFLAGS之后、configure之前添加CMAKE参数是合适的

3. 代码性能：

• -DCMAKE_SKIP_BUILD_RPATH=ON参数可以避免在构建时添加RPATH，有助于提高二进制文件的加载性能
• 这个参数可以减少运行时的动态库搜索路径，提高程序启动速度

4. 代码安全：

• 这个修改实际上增强了安全性，因为：
  • 避免了不必要的RPATH可能带来的安全风险
  • 配合已有的LDFLAGS安全参数(-z,relro -z,now -z,noexecstack)进一步加固了二进制文件

改进建议：

1. 建议在注释中更详细地说明为什么需要这个参数，比如：

# reproducible编译参数
# 禁用构建时RPATH，避免硬编码路径，提高安全性和可移植性
DEB_CMAKE_EXTRA_FLAGS += -DCMAKE_SKIP_BUILD_RPATH=ON

2. 考虑添加其他reproducible构建相关的参数，如：

DEB_CMAKE_EXTRA_FLAGS += -DCMAKE_SKIP_BUILD_RPATH=ON \
                        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
                        -DCMAKE_POSITION_INDEPENDENT_CODE=ON

总体来说，这是一个好的修改，提高了构建的安全性和可移植性，符合reproducible builds的最佳实践。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, mhduiy

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment