fix: add hardening build flags to debian/rules

[mhduiy]

Added several security hardening build flags to the Debian package build configuration:

1. Set DEB_BUILD_MAINT_OPTIONS to enable all hardening features
2. Added -Wall warning flag for both C and C++ compilers
3. Added linker flags for security features including RELRO, immediate binding, noexecstack, and export dynamic
   These changes improve the security of the resulting binary by enabling various compiler and linker protections against common exploitation techniques

fix: 在 debian/rules 中添加安全加固构建标志

在 Debian 软件包构建配置中添加了多个安全加固构建标志：

1. 设置 DEB_BUILD_MAINT_OPTIONS 以启用所有加固功能
2. 为 C 和 C++ 编译器添加 -Wall 警告标志
3. 添加链接器标志以实现安全功能，包括 RELRO、立即绑定、noexecstack 和导 出动态
   这些更改通过启用各种编译器和链接器保护来防止常见利用技术，从而提高生成二
   进制文件的安全性

Summary by Sourcery

Enable compiler and linker security hardening flags in the Debian package build

Build:

• Set DEB_BUILD_MAINT_OPTIONS to enable all hardening features
• Add -Wall warning flag for both C and C++ compilers
• Include linker security flags (RELRO, immediate binding, noexecstack, export-dynamic)

[sourcery-ai]

Reviewer's Guide

This PR enhances the Debian package build by updating debian/rules to enable full hardening features, enforce compiler warnings, and apply security-focused linker flags.

File-Level Changes

Change	Details	Files
Enable all hardening features via DEB_BUILD_MAINT_OPTIONS	Set DEB_BUILD_MAINT_OPTIONS to include ‘hardening=+all’	debian/rules
Add -Wall warning flag to compilers	Append -Wall to CFLAGS Append -Wall to CXXFLAGS	debian/rules
Inject security-focused linker flags	Add -Wl,-z,relro Add -Wl,-z,now Add -Wl,-z,noexecstack Add -Wl,--export-dynamic	debian/rules

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @mhduiy - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

在 debian/rules 文件中添加了几个新的环境变量，这些变量用于控制构建过程中的编译和链接选项。以下是针对这些更改的一些建议：

1. 安全性：

   • DEB_BUILD_MAINT_OPTIONS = hardening=+all：这个选项启用了所有可用的安全强化措施，这是一个好的实践，有助于提高软件的安全性。确保维护者了解这些选项的含义和可能的影响。

2. 代码质量：

   • DEB_CFLAGS_MAINT_APPEND = -Wall 和 DEB_CXXFLAGS_MAINT_APPEND = -Wall：这些选项启用了所有警告，有助于发现潜在的代码问题。确保团队中的开发者熟悉这些警告，并了解如何处理它们。

3. 性能：

   • DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E：这些选项用于优化链接过程，减少不必要的依赖，增强二进制文件的安全性，并提高性能。确保这些选项不会对构建过程产生负面影响。

4. 可维护性：

   • 添加了新的环境变量，但没有相应的文档说明这些变量的用途和配置。建议在 debian/rules 文件中添加注释，解释每个变量的作用和配置方法。

5. 兼容性：

   • 确保这些选项与项目的其他依赖项和构建系统兼容。如果项目依赖于旧版本的编译器或链接器，可能需要调整这些选项。

6. 测试：

   • 在引入这些更改后，建议进行全面的测试，以确保构建过程和软件功能不受影响。

综上所述，这些更改有助于提高软件的安全性和质量，但需要确保团队成员了解这些选项的含义和配置方法，并进行充分的测试以确保兼容性和性能。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, mhduiy

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mhduiy]

/forcemerge

[deepin-bot]

This pr force merged! (status: blocked)