chore: Update compiler flags for security enhancements

[wangrong1069]

As title

Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-337059.html

Summary by Sourcery

Build:

• Enable RELRO and NOW linker options in the global CMake C++ compiler flags to harden binaries against memory corruption attacks.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR strengthens the build’s security posture by adding linker hardening flags to the global C++ compiler flags in the top-level CMake configuration.

Flow diagram for updated build configuration with security linker flags

flowchart TD
    A[Top-level CMakeLists.txt] --> B[Set QT_VERSION_MAJOR 6]
    A --> C[Append security linker flags to CMAKE_CXX_FLAGS]
    C -->|Adds| D[-Wl,-z,relro]
    C -->|Adds| E[-Wl,-z,now]
    B --> F[Add subdirectory deepin-devicemanager]
    B --> G[Add subdirectory deepin-devicemanager-server]
    C --> F
    C --> G
    F --> H[Build deepin-devicemanager with hardened linker flags]
    G --> I[Build deepin-devicemanager-server with hardened linker flags]

Loading

File-Level Changes

Change	Details	Files
Enable additional linker security hardening flags for all C++ targets via the root CMake configuration.	Append -Wl,-z,relro and -Wl,-z,now to the global CMAKE_CXX_FLAGS variable Ensure the new security flags are applied project-wide by placing the setting in the top-level CMakeLists configuration before adding subdirectories	CMakeLists.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• These are linker options rather than compiler flags, so consider moving them to CMAKE_EXE_LINKER_FLAGS/CMAKE_SHARED_LINKER_FLAGS or target_link_options() instead of CMAKE_CXX_FLAGS for clearer intent and correct tool invocation.
• Updating CMAKE_CXX_FLAGS like this can overwrite or duplicate existing flags; using string(APPEND ...) or add_link_options() (for modern CMake) is safer and scales better with other configuration.
• You may want to guard these ELF-specific -Wl,-z,... flags behind a compiler/platform check so they don’t break builds on non-GNU or non-ELF toolchains.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- These are linker options rather than compiler flags, so consider moving them to `CMAKE_EXE_LINKER_FLAGS`/`CMAKE_SHARED_LINKER_FLAGS` or `target_link_options()` instead of `CMAKE_CXX_FLAGS` for clearer intent and correct tool invocation.
- Updating `CMAKE_CXX_FLAGS` like this can overwrite or duplicate existing flags; using `string(APPEND ...)` or `add_link_options()` (for modern CMake) is safer and scales better with other configuration.
- You may want to guard these ELF-specific `-Wl,-z,...` flags behind a compiler/platform check so they don’t break builds on non-GNU or non-ELF toolchains.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来对这个 CMakeLists.txt 的修改进行审查：

1. 语法逻辑：
   修改的语法是正确的，使用 CMAKE_CXX_FLAGS 变量来添加编译器链接选项。

2. 代码质量：

• 建议将编译器标志的设置放在更合适的位置，比如在 project() 声明之后
• 应该添加注释说明这两个标志的作用
• 考虑使用 target_link_options() 而不是全局设置 CMAKE_CXX_FLAGS，这样可以更精确地控制哪些目标使用这些选项

3. 代码性能：
   这两个链接选项（-Wl,-z,relro 和 -Wl,-z,now）实际上会略微增加程序的启动时间，因为它们会在程序启动时就解析所有动态链接符号。但这种性能影响通常很小，而且带来的安全性提升更重要。

4. 代码安全：
   这两个选项是很好的安全实践：

• -Wl,-z,relro (RELRO - Relocation Read Only)：将一些数据段（如 GOT 表）标记为只读，防止某些类型的内存损坏攻击
• -Wl,-z,now (BIND_NOW)：强制在程序启动时就解析所有动态符号，防止通过延迟绑定进行的攻击

改进建议：

# 在 project() 声明后添加
if(CMAKE_BUILD_TYPE STREQUAL "Release")
    # 添加安全相关的链接选项
    # RELRO: 将某些数据段标记为只读，增强安全性
    # BIND_NOW: 立即解析所有动态符号，防止延迟绑定攻击
    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now")
    set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now")
endif()

这个改进版本：

1. 添加了详细的注释说明
2. 只在 Release 构建时启用这些选项
3. 分别设置了可执行文件和共享库的链接标志
4. 使用了更具体的 CMAKE_EXE_LINKER_FLAGS 和 CMAKE_SHARED_LINKER_FLAGS，而不是全局的 CMAKE_CXX_FLAGS
5. 添加了条件判断，使配置更加灵活

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, wangrong1069

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangrong1069]

/merge