Pass critical CFLAGS/CXXFLAGS to more build steps

[kwsantiago]

• Depends on build: move hardening flags to dedicated cmake module #254
• Closes Pass certain CFLAGS/CXXFLAGS to more build steps #159

[luke-jr]

What do you think about taking the hardening logic out of /CMakeLists.txt and putting it into a CMake module that we can just use here too? (Maybe make that a separate PR in case it doesn't work out)

[kwsantiago]

What do you think about taking the hardening logic out of /CMakeLists.txt and putting it into a CMake module that we can just use here too? (Maybe make that a separate PR in case it doesn't work out)

@luke-jr I moved this logic to #254

[luke-jr]

With the current PR, guix/depends don't get the hardening options. The point of #159 is to build everything included in the official binaries with full hardening (and source builds by default). The difficulty is using the same hardening decision logic for both the main source as well as dependencies.

[kwsantiago]

Added hardening flag propagation to all depends host configs (linux, darwin, mingw, freebsd, openbsd, netbsd), gated by NO_HARDEN, matching what Hardening.cmake applies to the main build: bb87830

[luke-jr]

The goal isn't to match Hardening.cmake, but to call and use it. Which would also test the usability of compiler-specific flags.

[kwsantiago]

Reworked: depends now probes Hardening.cmake directly instead of duplicating flags per-host.

[kwsantiago]

Moved -fstack-reuse=none into Hardening.cmake and pulled target_link_libraries out of the module so the probe skips the dummy library.

[luke-jr]

Don't we need to update build_id to include the flags?

Also, this doesn't seem to actually work. strace'ing the guix build shows many dependencies being built without the hardening flags.

[kwsantiago]

Fixed build_id to hash host_CFLAGS/CXXFLAGS/LDFLAGS (full flags incl. probe output). Verified under guix: 470/470 compile commands have all hardening flags; prior missing-flags symptom was stale cache not invalidating.

[kwsantiago]

Also added build-toolchain probe so native depends packages get hardening. Verified end-to-end under guix: 506/506 compile commands hardened, all 7 output binaries have BIND_NOW/PIE/stack_chk.

[kwsantiago]

Added host_build: QMAKE_* lines in qt.mk so Qt's native tools (moc, rcc, uic) also get hardening. Verified under guix: 495/495 real compiles hardened (remaining 36 are cmake/autoconf internal probes, which your grep already filters).

grep 'execve("[^"]*\(cc\|++\|ld\)[^/"]*"' log-tmp | grep -v 'execve("[^"]*-ar"\|/bin/ldd"\|/bin/rcc"\|"--help"\|"-[-q]\?version"\|"-\?-print\|-ranlib"\|"-E"\|CompilerId\b\|conftest\|CMakeFiles/\|"-[Vv]"' |perl -nle 'if(m["(-o)", "([^"]{2,})"] and $2 ne "/dev/null"){print "$1 $2 $_"}elsif(m["([^"]+\.([ch](xx|pp)?|cc))"]){print "$1 $_"} else{print}'|grep -v '^-o /tmp/\|^cmTC_' | grep -v 'fstack-clash-protection\|-z.separate-code' |wc -l

[kwsantiago]

Patched qmake's Makefile.unix template so configure's bootstrap also gets hardening. Strace-verified under guix: 0 real build commands missing flags.