chore: Update compiler flags for security enhancements

[wangrong1069]

Summary by Sourcery

Enable additional hardening flags for release builds and bump the package version across architecture-specific metadata files.

Build:

• Enable security-focused compiler and linker flags for release builds.

Deployment:

• Update application version metadata to 6.5.32.1 across all architecture-specific linglong.yaml files.

[github-actions]

TAG Bot

TAG: 6.5.32
EXISTED: no
DISTRIBUTION: unstable

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds hardened compiler/linker flags for Release builds and bumps the application package version across all architecture-specific metadata files.

Flow diagram for enabling hardening flags in Release builds

flowchart TD
  A[CMake configure] --> B{CMAKE_BUILD_TYPE}
  B -->|Release| C[Enable build hardening]
  B -->|Other| F[Use default flags]
  C --> D[Set CMAKE_VERBOSE_MAKEFILE ON]
  C --> E[Append hardened C and CXX flags]
  C --> G[Append hardened linker flags]
  E --> H[Compile with -Wdate-time, -D_FORTIFY_SOURCE=2, -g, -O2, -ffile-prefix-map, -fstack-protector-strong, -fstack-clash-protection, -Wformat, -Werror=format-security, -fcf-protection]
  G --> I[Link with -Wl,-z,relro and -Wl,-z,now]

Loading

File-Level Changes

Change	Details	Files
Introduce security-focused compiler and linker hardening flags for Release builds.	Guard new flags behind a CMAKE_BUILD_TYPE STREQUAL "Release" condition. Enable verbose makefile output when hardening is enabled. Augment C and C++ compiler flags with fortify, stack protection, stack clash protection, control-flow protection, format warnings as errors, and deterministic debug info options. Extend executable linker flags with RELRO and immediate binding (now) options.	CMakeLists.txt
Bump package version to 6.5.32.1 across architecture-specific Linglong metadata.	Update base linglong.yaml package version field. Update architecture-specific linglong.yaml versions for arm64, loong64, mips64, and sw64 to keep them in sync.	linglong.yaml arm64/linglong.yaml loong64/linglong.yaml mips64/linglong.yaml sw64/linglong.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The CMAKE_BUILD_TYPE STREQUAL "Release" guard won’t work as expected for multi-config generators (e.g., Ninja Multi-Config, Visual Studio); consider using generator expressions or config-specific flags instead of relying on CMAKE_BUILD_TYPE.
• Enabling -g, -O2, and CMAKE_VERBOSE_MAKEFILE for Release builds may not be desirable for all consumers; consider making these debug/diagnostic options configurable via cache variables or limiting them to non-Release configurations.
• Directly appending compiler/linker flags to CMAKE_C_FLAGS/CMAKE_CXX_FLAGS/CMAKE_EXE_LINKER_FLAGS makes them global and harder to override; consider using add_compile_options()/target_compile_options() and target_link_options() scoped to relevant targets instead.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `CMAKE_BUILD_TYPE STREQUAL "Release"` guard won’t work as expected for multi-config generators (e.g., Ninja Multi-Config, Visual Studio); consider using generator expressions or config-specific flags instead of relying on `CMAKE_BUILD_TYPE`.
- Enabling `-g`, `-O2`, and `CMAKE_VERBOSE_MAKEFILE` for Release builds may not be desirable for all consumers; consider making these debug/diagnostic options configurable via cache variables or limiting them to non-Release configurations.
- Directly appending compiler/linker flags to `CMAKE_C_FLAGS`/`CMAKE_CXX_FLAGS`/`CMAKE_EXE_LINKER_FLAGS` makes them global and harder to override; consider using `add_compile_options()`/`target_compile_options()` and `target_link_options()` scoped to relevant targets instead.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

这份代码 diff 主要展示了在 CMakeLists.txt 中添加了编译时的安全加固选项，并更新了项目版本号。以下是对这些更改的详细审查和改进意见：

1. 语法与逻辑审查

• CMake 语法正确性：
  • 语法是正确的。使用 if(CMAKE_BUILD_TYPE STREQUAL "Release") 来判断构建类型是标准做法。
  • 使用 set 命令追加标志到 CMAKE_CXX_FLAGS 等变量也是正确的。
• 逻辑合理性：
  • 仅在 Release 模式下开启这些加固选项是合理的，因为 Debug 模式通常需要 -O0 且不需要这些优化相关的安全标志，且部分标志（如 -Werror）可能会在开发调试时带来不便。
  • 版本号更新逻辑一致，linglong.yaml 和 debian/changelog 均已同步更新。

2. 代码质量审查

• 可读性与维护性：
  • 建议：将这一长串编译器标志定义为一个变量或列表，可以提高可读性。
  • 问题：message("Enable build hardening.") 缺少 STATUS 或 WARNING 等关键字。在 CMake 中，建议使用 message(STATUS "...") 来输出常规构建信息，这样在非 verbose 模式下也能更好地控制输出。
  • 问题：set(CMAKE_VERBOSE_MAKEFILE ON) 被放在了 if(Release) 块中。这意味着只有 Release 构建才会输出详细的编译信息。通常开发者希望在 Debug 模式下看到详细编译信息以便排查问题，而在 Release 模式下保持输出精简。建议移除该行或根据需求调整位置。
• 跨平台兼容性：
  • 问题：添加的标志（如 -fcf-protection, -fstack-clash-protection）是 GCC/Clang 特有的。虽然项目看起来是基于 Linux 的 UOS/Deepin，但如果未来考虑使用 MSVC 或其他编译器，这段代码会导致报错。建议添加编译器判断：

    if(CMAKE_BUILD_TYPE STREQUAL "Release" AND (CMAKE_CXX_COMPILER_ID MATCHES "GNU|Clang"))
        # ... 设置标志
    endif()

3. 代码性能审查

• 优化级别：
  • 代码中显式添加了 -O2。这会覆盖 CMake 默认的 Release 优化级别（通常是 -O3）。对于计算器这类应用，-O2 是一个很好的平衡点，既保证了性能又避免了 -O3 可能带来的代码体积膨胀或潜在的不稳定性，这是合理的。
• Debug 信息：
  • 添加了 -g。这会在 Release 二进制文件中包含调试符号。虽然这对事后崩溃分析（coredump）非常有帮助，但会增加二进制文件的大小。如果发布包对体积极其敏感，可以考虑在构建完成后使用 strip 命令去除符号，或者分离符号包。但在 Linux 发行版构建中，保留 -g 是标准做法，以便生成调试包。

4. 代码安全审查

这是本次更改的核心部分，引入的标志极大地增强了二进制文件的安全性：

• -D_FORTIFY_SOURCE=2：
  • 评价：优秀。在编译时进行缓冲区溢出检查，需要配合优化选项（如 -O2）使用，代码中已包含 -O2，配置正确。
• -fstack-protector-strong：
  • 评价：优秀。比 -fstack-protector 提供更强的栈保护，且性能开销可控。
• -fstack-clash-protection：
  • 评价：优秀。防止栈冲突攻击（Stack Clash），增加栈分配的间隔。
• -Wformat -Werror=format-security：
  • 评价：优秀。强制检查格式化字符串漏洞，并将此类警告视为错误。这能有效防止格式化字符串漏洞。
• -fcf-protection：
  • 评价：优秀。添加控制流保护技术，防止跳转-oriented programming (JOP) 和 return-oriented programming (ROP) 攻击。
  • 注意：该选项在较旧的 x86_64 GCC 版本（< 8.0.1）中不支持。考虑到 UOS/Deepin 的环境通常较新，问题不大，但需注意旧编译器环境的兼容性。
• -Wl,-z,relro -Wl,-z,now：
  • 评价：优秀。启用 RELRO (Relocation Read-Only) 和立即绑定。这使得 GOT/PLT 表在程序启动后变为只读，攻击者难以修改其内容进行 GOT 劫持。
• -Wdate-time：
  • 评价：一般。该选项主要用于让编译警告包含时间戳，有助于构建的可复现性检查（Reproducible Builds），本身不直接提升运行时安全性，但属于良好的工程实践。
• -ffile-prefix-map=...：
  • 评价：优秀。用于移除构建路径，使得构建结果更独立于构建环境，有助于实现可复现构建，同时避免泄露开发者机器的路径信息。

5. 改进建议总结

1. 优化 CMake 代码结构：
   建议将标志提取为变量，并增加编译器类型检查，修改 message 输出级别。

   if(CMAKE_BUILD_TYPE STREQUAL "Release")
       message(STATUS "Enable build hardening.")
   
       # 定义通用的安全编译选项
       set(HARDENING_FLAGS
           -Wdate-time
           -D_FORTIFY_SOURCE=2
           -g
           -O2
           -ffile-prefix-map=${CMAKE_SOURCE_DIR}=.
           -fstack-protector-strong
           -fstack-clash-protection
           -Wformat
           -Werror=format-security
           -fcf-protection
       )
   
       # 仅针对 GCC/Clang 添加特定标志
       if(CMAKE_CXX_COMPILER_ID MATCHES "GNU|Clang")
           set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${HARDENING_FLAGS}")
           set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS}")
           set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now")
       endif()
   endif()

2. 考虑移除 CMAKE_VERBOSE_MAKEFILE：
   除非有特殊原因需要在 Release 模式下打印详细编译日志，否则建议删除 set(CMAKE_VERBOSE_MAKEFILE ON) 这一行，保持构建输出的整洁。

3. -fcf-protection 兼容性：
   如果项目需要支持非常旧的编译器版本（如 GCC 7.x），建议对 -fcf-protection 进行检查：

   check_cxx_compiler_flag("-fcf-protection" COMPILER_SUPPORTS_FCF_PROTECTION)
   if(COMPILER_SUPPORTS_FCF_PROTECTION)
       list(APPEND HARDENING_FLAGS "-fcf-protection")
   endif()

总体而言，这是一个非常高质量的安全加固补丁，引入的编译选项符合现代 Linux 安全标准（如 Debian 的安全编译规范）。只需在 CMake 代码的健壮性和跨平台性上稍作微调即可。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, wangrong1069

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangrong1069]

/forcemerge

[deepin-bot]

This pr force merged! (status: unstable)

[deepin-bot]

TAG Bot

✅ Tag created successfully

📋 Tag Details

• Tag Name: 6.5.32
• Tag SHA: ec3eb60716a59053e537df0824a38b5012e86237
• Commit SHA: f8098495328edea3b39775516ef981f82caabf7b
• Tag Message:

  Release deepin-calculator 6.5.32
  
  

• Tagger:
  • Name: wangrong1069
• Distribution: unstable