Pr0128#188
Conversation
|
TAG Bot TAG: 6.5.35 |
Reviewer's guide (collapsed on small PRs)Reviewer's GuideAdds compiler and linker hardening flags for Release builds and bumps the application/package version across multiple linglong manifests, with an associated Debian changelog update stub. Flow diagram for Release build hardening configurationflowchart TD
A[CMake_configure] --> B{CMAKE_BUILD_TYPE}
B -->|Release| C[Print_Enable_build_hardening]
B -->|Other| D[Use_default_flags]
C --> E[Set_HARDENING_FLAGS]
E --> F[Append_HARDENING_FLAGS_to_CMAKE_CXX_FLAGS]
E --> G[Append_HARDENING_FLAGS_to_CMAKE_C_FLAGS]
E --> H[Append_linker_hardening_flags_to_CMAKE_EXE_LINKER_FLAGS]
D --> I[Continue_configuration]
F --> I
G --> I
H --> I
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The hardening flags are appended directly to CMAKE_C_FLAGS/CMAKE_CXX_FLAGS for the generic Release build type; consider using CMAKE_*_FLAGS_RELEASE or target_compile_options/target_link_options so that configuration-specific flags are applied more explicitly and don’t interfere with other build types like RelWithDebInfo.
- You’re adding -g and -O2 in the HARDENING_FLAGS for Release; it might be clearer to keep optimization/debug flags in the standard CMake configuration (e.g., CMAKE_*_FLAGS_RELEASE) and limit HARDENING_FLAGS to security-related flags only to avoid duplication or conflicting toolchain settings.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The hardening flags are appended directly to CMAKE_C_FLAGS/CMAKE_CXX_FLAGS for the generic Release build type; consider using CMAKE_*_FLAGS_RELEASE or target_compile_options/target_link_options so that configuration-specific flags are applied more explicitly and don’t interfere with other build types like RelWithDebInfo.
- You’re adding -g and -O2 in the HARDENING_FLAGS for Release; it might be clearer to keep optimization/debug flags in the standard CMake configuration (e.g., CMAKE_*_FLAGS_RELEASE) and limit HARDENING_FLAGS to security-related flags only to avoid duplication or conflicting toolchain settings.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
As title Log: Update compiler flags for security enhancements Bug: https://pms.uniontech.com/bug-view-342665.html
deepin pr auto review这段代码在 CMake 构建配置中引入了编译器加固选项,这是一个很好的安全实践。以下是对这段代码的详细审查,包括语法逻辑、代码质量、性能和安全方面的改进建议: 1. 语法逻辑与代码质量优点:
改进建议:
2. 代码性能
3. 代码安全优点:
改进建议:
综合改进后的代码示例if(CMAKE_BUILD_TYPE STREQUAL "Release")
message(STATUS "Enable build hardening.")
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU|Clang")
# 定义安全标志,移除 -O2 和 -g,由 CMake 变量管理
set(HARDENING_FLAGS
"-Wdate-time"
"-D_FORTIFY_SOURCE=2"
"-ffile-prefix-map=${CMAKE_SOURCE_DIR}=."
"-fstack-protector-strong"
"-fstack-clash-protection"
"-Wformat"
"-Werror=format-security"
"-fPIE" # 显式开启 PIE 编译支持
)
# 将标志追加到相应的变量中
list(APPEND CMAKE_CXX_FLAGS ${HARDENING_FLAGS})
list(APPEND CMAKE_C_FLAGS ${HARDENING_FLAGS})
# 链接器标志:开启 RELRO (Relocation Read-Only) 和立即绑定
list(APPEND CMAKE_EXE_LINKER_FLAGS "-Wl,-z,relro" "-Wl,-z,now" "-Wl,-pie")
elseif(MSVC)
# 如果需要支持 MSVC,在此处添加对应的安全标志
message(STATUS "MSVC detected, consider adding /GS, /sdl flags.")
endif()
endif() |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: lzwind, wangrong1069 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/merge |
Summary by Sourcery
Enable build hardening for release builds and bump application packaging versions across architectures.
Build:
Deployment: