chore: Update compiler flags for security enhancements

[wangrong1069]

Add "-D_FORTIFY_SOURCE=2"

Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-337059.html

Summary by Sourcery

Build:

• Enable _FORTIFY_SOURCE=2 in C and C++ compiler flags for app, service, and test targets to enhance compile-time and runtime security checks.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR tightens compiler security settings across the app, service, and test targets by adding the -D_FORTIFY_SOURCE=2 macro definition to both C and C++ compilation flags in their respective qmake project files.

File-Level Changes

Change	Details	Files
Enable fortified glibc protections via compiler defines for all targets.	Extend QMAKE_CFLAGS to include -D_FORTIFY_SOURCE=2 alongside existing stack protector and PIE flags for the main application target. Extend QMAKE_CXXFLAGS to include -D_FORTIFY_SOURCE=2 for the main application target. Extend QMAKE_CFLAGS to include -D_FORTIFY_SOURCE=2 for the service target, preserving existing security flags. Extend QMAKE_CXXFLAGS to include -D_FORTIFY_SOURCE=2 for the service target, preserving existing security and access-control flags. Extend QMAKE_CFLAGS to include -D_FORTIFY_SOURCE=2 for the tests target with existing stack protector and PIE options. Extend QMAKE_CXXFLAGS in tests to add -D_FORTIFY_SOURCE=2 while keeping -fno-access-control and existing security flags.	src/app/app.pro src/service/service.pro src/tests/tests.pro

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider centralizing the common security compile flags in a shared .pri file so you don't have to repeat the same QMAKE_*FLAGS in app.pro, service.pro, and tests.pro.
• Since _FORTIFY_SOURCE requires optimization to be effective, you may want to ensure these flags are only applied (or are adjusted) for builds compiled with at least -O1/-O2 to avoid unexpected behavior in non-optimized builds.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider centralizing the common security compile flags in a shared .pri file so you don't have to repeat the same QMAKE_*FLAGS in app.pro, service.pro, and tests.pro.
- Since _FORTIFY_SOURCE requires optimization to be effective, you may want to ensure these flags are only applied (or are adjusted) for builds compiled with at least -O1/-O2 to avoid unexpected behavior in non-optimized builds.

## Individual Comments

### Comment 1
<location> `src/app/app.pro:8` </location>
<code_context>
 QMAKE_LFLAGS += -z noexecstack -pie -z relro -z now
-QMAKE_CFLAGS += -fstack-protector-all -fPIE
-QMAKE_CXXFLAGS += -fstack-protector-all -fPIE
+QMAKE_CFLAGS += -fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2
+QMAKE_CXXFLAGS += -fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2

</code_context>

<issue_to_address>
**🚨 suggestion (security):** Consider ensuring optimization is enabled so _FORTIFY_SOURCE=2 actually has effect.

_FORTIFY_SOURCE only works with optimization (e.g., -O1 or higher). If your default CFLAGS don’t guarantee that, consider only defining it in optimized/release builds or ensure an optimization level like -O2 is always used, so the protections actually take effect.

Suggested implementation:

```
#添加安全编译参数
QMAKE_LFLAGS += -z noexecstack -pie -z relro -z now
QMAKE_CFLAGS += -fstack-protector-all -fPIE
QMAKE_CXXFLAGS += -fstack-protector-all -fPIE

# 仅在启用优化的 release 构建中启用 _FORTIFY_SOURCE，以确保其实际生效
CONFIG(release, debug|release) {
    QMAKE_CFLAGS_RELEASE += -O2 -D_FORTIFY_SOURCE=2
    QMAKE_CXXFLAGS_RELEASE += -O2 -D_FORTIFY_SOURCE=2
}

## 添加内存泄露检测
#CONFIG(debug, debug|release) {

```

- 请确认项目的其他位置（例如全局 qmake 配置、上层 .pro 或 .pri 文件）没有为 release 构建强制设置其他优化等级（如 -O0 或 -Os），以避免与这里的 -O2 冲突。
- 如果全局已经统一设置了优化等级（例如所有 release 都是 -O2），可以将上面 block 中的 -O2 去掉，只保留 -D_FORTIFY_SOURCE=2，以避免重复指定优化等级。
- 若你希望在 debug 模式下也启用部分优化和 FORTIFY（不常见，但有时有需求），可以类似地为 QMAKE_CFLAGS_DEBUG / QMAKE_CXXFLAGS_DEBUG 添加合适的 -O 级别和 -D_FORTIFY_SOURCE=2。
</issue_to_address>

### Comment 2
<location> `src/service/service.pro:13-14` </location>
<code_context>
 QMAKE_LFLAGS += -z noexecstack -pie -z relro -z now
-QMAKE_CFLAGS += -fstack-protector-all -fPIE
-QMAKE_CXXFLAGS += -fstack-protector-all -fPIE
+QMAKE_CFLAGS += -fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2
+QMAKE_CXXFLAGS += -fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2

 ## 添加内存泄露检测
</code_context>

<issue_to_address>
**suggestion:** These duplicated security flags across .pro files could be centralized for consistency and easier maintenance.

Since both projects now define identical security flags, consider moving them into a shared .pri or common config file that each .pro includes. This will reduce duplication and help prevent configuration drift when updating flags like _FORTIFY_SOURCE or PIE settings in the future.

Suggested implementation:

```
# 添加公共安全编译参数（集中在共享配置文件中，避免各 .pro 重复配置）
include(../common/security_flags.pri)

TEMPLATE = app


```

To fully implement the suggestion and centralize the security flags, you should also:
1. Create a new file (if it doesn't exist yet), for example at `src/common/security_flags.pri` (or adjust the include path above to match your project layout), with the shared flags:
   - QMAKE_LFLAGS += -z noexecstack -pie -z relro -z now
   - QMAKE_CFLAGS += -fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2
   - QMAKE_CXXFLAGS += -fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2
2. In the other .pro files that currently duplicate these flags, remove their individual QMAKE_LFLAGS/QMAKE_CFLAGS/QMAKE_CXXFLAGS security flag lines and add the same `include(../common/security_flags.pri)` (with the correct relative path from each .pro).
3. If different targets need slight variations of the flags in the future, keep the common baseline in `security_flags.pri` and override/append only the differences locally in specific .pro files.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来对这个git diff进行详细审查：

1. 代码质量和安全性改进：

在app.pro、service.pro和tests.pro三个文件中都添加了-D_FORTIFY_SOURCE=2编译选项，这是一个很好的安全加固措施：

• 这个选项会在编译时对一些不安全的字符串和内存操作函数进行检查
• 可以帮助检测缓冲区溢出等安全问题
• 建议继续保持这个安全选项

2. 文件管理改进：

在.reuse/dep5文件中添加了src/tools/exportPot.bat到文件列表中：

• 这个修改确保了新添加的批处理文件也被正确地包含在许可证声明中
• 符合软件许可证管理的最佳实践
• 建议确认该文件确实需要CC0-1.0许可证

3. 建议和注意事项：

a) 关于_FORTIFY_SOURCE：

• 确保在使用_FORTIFY_SOURCE=2时，代码中使用的字符串和内存操作函数是安全的
• 建议在编译时开启所有警告(-Wall -Wextra)以配合这个选项使用

b) 关于安全编译选项：

• 当前使用的安全编译选项组合是合理的：
  • -z noexecstack：防止栈执行
  • -pie：生成位置无关可执行文件
  • -z relro -z now：启用重定位保护
  • -fstack-protector-all：启用栈保护
  • -fPIE：生成位置无关代码
• 建议继续保持这些安全选项

c) 关于tests.pro：

• 注意到tests.pro中使用了-fno-access-control，这会禁用C++的访问控制检查
• 这个选项仅应用于测试代码是合理的
• 确保这个选项不会影响生产代码的编译

4. 总体评价：
   这些修改都是积极的改进，主要增强了代码的安全性和合规性。没有发现任何明显的问题或潜在风险。建议继续使用这些安全编译选项，并定期检查是否有新的安全编译选项可以添加。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, wangrong1069

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangrong1069]

/merge