Enable hardening options, use debian packaging compat 9

I backported debhelper [1] and tested a granite build [2].

In Precise hardening flags are enabled but due to a CMake bug [3] (fixed in debhelper 9.20120417) CPPFLAGS are ignored. CPPFLAGS variable is used in Ubuntu/Debian to pass -D_FORTIFY_SOURCE=2 flag to compiler.
Now, with the backported package and the changes described above looks like CPPFLAGS are recognized by compiler [4].

UBUNTU HARDENING FLAGS:
dpkg-buildpackage: export CFLAGS from dpkg-buildflags (origin: vendor): -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
dpkg-buildpackage: export CPPFLAGS from dpkg-buildflags (origin: vendor): -D_FORTIFY_SOURCE=2
dpkg-buildpackage: export CXXFLAGS from dpkg-buildflags (origin: vendor): -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
dpkg-buildpackage: export FFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export LDFLAGS from dpkg-buildflags (origin: vendor): -Wl,-Bsymbolic-functions -Wl,-z,relro

ABOUT -D_FORTIFY_SOURCE=2 (from http://wiki.debian.org/Hardening/):
During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain '%n' are blocked. If an application depends on such a format string, it will need to be worked around.

[1] https://launchpad.net/~d.filoni/+archive/quantal-builds/+sourcepub/2542384/+listing-archive-extra
[2] https://launchpad.net/~d.filoni/+archive/quantal-builds/+sourcepub/2542404/+listing-archive-extra
[3] http://www.cmake.org/Bug/view.php?id=12928
[4] https://launchpadlibrarian.net/109111815/granite_0.2~r290-0~0devfil3%2Blogger~precise1_amd64.changes

Sorry, my link in [4] was wrong, this is the correct one:
https://launchpadlibrarian.net/109111810/buildlog_ubuntu-precise-amd64.granite_0.2~r290-0~0devfil3%2Blogger~precise1_BUILDING.txt.gz

Is it supposed to be done only in Granite or in all apps?
Either way, this requires a great deal of regression testing...

This requires backporting or patching Debhelper, so it's not an option for Luna/Precise.

We'll get this automatically in Quantal simply by bumping debian/compat to 9 (and updating the debhelper version requirement in debian/control accordingly). This change will still allow the packages build on Precise, thought they won't get the hardening automatically. I'll script and perform this change sometime in Luna+1/Quantal+ cycle.

Please don't updade debhelper version requirement or packages won't
build on Precise. You only have to bump debian/compat to 9.

On Wed, Jul 4, 2012 at 6:22 PM, Sergey "Shnatsel" Davidoff
<email address hidden> wrote:
> This requires backporting or patching Debhelper, so it's not an option
> for Luna/Precise.
>
> We'll get this automatically in Quantal simply by bumping debian/compat
> to 9 (and updating the debhelper version requirement in debian/control
> accordingly). This change will still allow the packages build on
> Precise, thought they won't get the hardening automatically. I'll script
> and perform this change sometime in Luna+1/Quantal+ cycle.
>
> ** Changed in: elementaryos
> Status: In Progress => Triaged
>
> ** Also affects: elementaryos/0.3
> Importance: Undecided
> Status: New
>
> ** Changed in: elementaryos/0.3
> Assignee: (unassigned) => Sergey "Shnatsel" Davidoff (shnatsel)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1019829
>
> Title:
> Enable hardening options
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/elementaryos/+bug/1019829/+subscriptions

From a duplicate:

"In order to be fully multi-arch compatible, we need to change the debhelper compatibility level (compat file) to 9.

Files
Granite
Maya
Noise
libpantheon
Scratch
Switchboard
Switchboard Plug Online Accounts

Note: This is only usefull for applications with shared library."

I went through our deb-packaging branches and updated them to compat 9. Plugs do not have deb-packaging branches, so they may still have outdated compat version.

I've separately enabled all hardening flags in select packages, see bug #1340488 for details.

I've additionally verified plug branches and they're good.

We still have to check whether the hardening options are ACTUALLY applied, i.e. whether -D_FORTIFY_SOURCE=2 is passed (CMake has a long track of ignoring C preprocessor flags) and fix that where appropriate.

I've done that in course of my Debian porting effort for most packages; the ones I have not yet verified are Wingpanel, AppCenter, Audience, and various plugs.