reproducible build error

[18202781743]

• feat: add reproducible build parameters
• chore: remove hardcoded debug flags from CMake

Summary by Sourcery

Enable reproducible and secure builds by removing hardcoded debug flags and introducing reproducible build parameters in CMake and Debian packaging

Build:

• Remove hardcoded '-g -Wall' from CMakeLists.txt to allow controlled debug symbol generation
• Add secure compilation definitions and reproducible build parameters in CMakeLists.txt and debian/rules

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR refactors the build configuration to enable reproducible and secure builds by removing hardcoded debug flags, injecting security-focused compiler definitions in CMake, and updating the Debian rules to propagate reproducible build parameters.

Flow diagram for secure and reproducible build configuration

flowchart TD
    A[Start Build]
    A --> B[Read CMakeLists.txt]
    B --> C[Apply Security Compiler Flags]
    C --> D[Remove Hardcoded Debug Flags]
    D --> E[Propagate Reproducible Build Parameters]
    E --> F[Build Artifacts]
    F --> G[End]

Loading

File-Level Changes

Change	Details	Files
Removed hardcoded debug flags and introduced security build parameters	Deleted CMAKE_CXX_FLAGS "-g -Wall" Added ADD_DEFINITIONS with stack protector, fortify source, PIE, PIC, and noexecstack flags	dcc-network/CMakeLists.txt
Updated Debian packaging to support reproducible builds	Removed legacy debug flag injections Configured rules to export and respect reproducible build environment variables	debian/rules

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Fix the typo in your fortify macro—_D_FORTITY_SOURCE should be _D_FORTIFY_SOURCE.
• For more precise control, consider using target_compile_options on your specific targets instead of global ADD_DEFINITIONS.
• To fully support reproducible builds, add handling for SOURCE_DATE_EPOCH (e.g. via -D SOURCE_DATE_EPOCH) and strip out any __DATE__/__TIME__ macros.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Fix the typo in your fortify macro—`_D_FORTITY_SOURCE` should be `_D_FORTIFY_SOURCE`.
- For more precise control, consider using `target_compile_options` on your specific targets instead of global `ADD_DEFINITIONS`.
- To fully support reproducible builds, add handling for `SOURCE_DATE_EPOCH` (e.g. via `-D SOURCE_DATE_EPOCH`) and strip out any `__DATE__`/`__TIME__` macros.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来分析一下这个diff的修改内容：

1. CMakeLists.txt的修改：

• 删除了 set(CMAKE_CXX_FLAGS "-g -Wall") 这一行
• 保留了安全编译参数 ADD_DEFINITIONS("-fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy")

2. debian/rules的修改：

• 添加了 DEB_CMAKE_EXTRA_FLAGS += -DCMAKE_SKIP_BUILD_RPATH=ON 用于reproducible编译
• 在dh_auto_configure命令中增加了$(DEB_CMAKE_EXTRA_FLAGS)参数

分析建议：

1. 代码质量：

• 删除CMAKE_CXX_FLAGS中的"-g -Wall"可能不是最佳选择，因为：
  • "-g"对于调试很重要
  • "-Wall"可以开启所有警告，有助于代码质量控制
• 建议将这些编译选项移至DEB_CXXFLAGS_MAINT_APPEND中统一管理

2. 代码安全：

• 保留的安全编译参数很好，但建议添加：
  • "-fPIE"（Position Independent Executable）
  • "-Wformat -Wformat-security"（格式化字符串安全检查）
  • "-fno-common"（防止全局变量重复定义）

3. 代码性能：

• 建议添加优化级别参数，如"-O2"或"-O3"
• 可以考虑添加"-march=native"以启用特定CPU架构的优化

4. 改进建议：

# 在CMakeLists.txt中
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -Wall")
set(CMAKE_CXX_FLAGS_RELEASE "-O2 -DNDEBUG")
set(CMAKE_CXX_FLAGS_DEBUG "-O0 -g")

# 更全面的安全编译参数
ADD_DEFINITIONS("-fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -fno-common")

# 在debian/rules中
DEB_CMAKE_EXTRA_FLAGS += -DCMAKE_SKIP_BUILD_RPATH=ON
export DEB_CXXFLAGS_MAINT_APPEND = -Wall -Wformat -Wformat-security -fno-common
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E -Wl,-pie

这些修改将：

1. 保持调试能力
2. 增强安全性
3. 优化性能
4. 提高代码质量
5. 保持reproducible构建能力

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, BLumia

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment