nix: hardening the build

nix build system drops all of our hardening CFLAGS and CXXFLAGS

srcpkgs/nix/patches/respect-our-flags.patch

@@ -0,0 +1,25 @@
+--- a/Makefile
++++ b/Makefile
+@@ -28,10 +28,8 @@ makefiles = \
+ OPTIMIZE = 1
+ 
+ ifeq ($(OPTIMIZE), 1)
+-  GLOBAL_CXXFLAGS += -O3 $(CXXLTO)
++  GLOBAL_CXXFLAGS += $(CXXLTO)
+   GLOBAL_LDFLAGS += $(CXXLTO)
+-else
+-  GLOBAL_CXXFLAGS += -O0 -U_FORTIFY_SOURCE
+ endif
+ 
+ include mk/lib.mk
+--- a/configure.ac
++++ b/configure.ac
+@@ -41,8 +41,6 @@ AC_DEFINE_UNQUOTED(SYSTEM, ["$system"],
+ test "$localstatedir" = '${prefix}/var' && localstatedir=/nix/var
+ 
+ 
+-CFLAGS=
+-CXXFLAGS=
+ AC_PROG_CC
+ AC_PROG_CXX
+ AC_PROG_CPP

srcpkgs/nix/template

@@ -1,7 +1,7 @@
 # Template file for 'nix'
 pkgname=nix
 version=2.10.3
-revision=2
+revision=3
 build_style=gnu-configure
 # Use /nix/var as suggested by the official Manual.
 configure_args="--localstatedir=/nix/var