add harden flags to cicd & pinned builds - 2.0

[spoonincode]

Change Description

This PR adds a handful of typical compiler hardening options for Linux pinned script builds and cicd builds (so, this includes binaries). I say "typical" as major distros like Ubuntu, Fedora, Arch all ship their packages with most of these hardening options because they can mitigate some classical exploits. There is abundant documentation on what these flags do, but briefly:

• -D_FORTIFY_SOURCE=2: Compile time warnings and runtime checks on some functions such as memset, printf, and more that look for out of bound errors. The runtime checks will assert and exit if hit. "2" is the more aggressive setting that can cause pedantically correct applications to fail.
• -fpie -pie: compiles the main executable to be position independent code. This allows the main executable, its heap, etc to be placed randomly via ASLR in addition to shared libraries that already are
• -fstack-protector-stong: stack overflow protection
• -Wl,-z,relro,-z,now: -z,now causes the dynamic linker to resolve all symbols at startup instead of lazy linking later on. Because symbols are resolved before program execution starts, -z,relro can also be added to make the GOT read only (the linker mprotect()s it after resolving all symbols). Protects against overwriting of the GOT to redirect program flow.

I'm seeing something on the order of 3% performance reduction with a replay of recent blocks with OC and replay opts disabled.

Consensus Changes

• Consensus Changes

API Changes

• API Changes

Documentation Additions

• Documentation Additions