mkosi: Fix FORTIFY_SOURCE (again)

CentOS/Fedora use annobin which will complain if FORTIFY_SOURCE=0
is used so we disable those checks to avoid the warnings.

We also make sure that when we query the compilation flags so we can
add more, we set _fortify_level=0 and undefine _lto_flags so that we
don't get those flags in the result.

mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot

@@ -32,16 +32,16 @@ ARCH="$(rpm --eval %_arch)"
 SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH"
 
 # TODO: Drop -U_FORTIFY_SOURCE when we switch to CentOS Stream 10.
-EXTRA_CFLAGS="-O0 -Wp,-U_FORTIFY_SOURCE"
+CFLAGS="$(rpm --define "_fortify_level 0" --undefine _lto_cflags --eval %build_cflags) -O0 -Wp,-U_FORTIFY_SOURCE"
 if ((WITH_DEBUG)); then
-    EXTRA_CFLAGS="$EXTRA_CFLAGS -ffile-prefix-map=../src=$SRCDEST"
+    CFLAGS="$CFLAGS -ffile-prefix-map=../src=$SRCDEST"
 fi
 
 IFS=
 # TODO: Replace meson_build and meson_install overrides with "--undefine __meson_verbose" once
 # https://github.com/mesonbuild/meson/pull/12835 is available.
 # shellcheck disable=SC2046
-rpmbuild \
+ANNOBIN="no-active-checks" rpmbuild \
     -bb \
     --build-in-place \
     --with upstream \
@@ -58,7 +58,7 @@ rpmbuild \
     $( ((WITH_DEBUG)) || echo "debug_package %{nil}") \
     --define "version_override $VERSION" \
     --define "release_override $RELEASE" \
-    --define "build_cflags $(rpm --eval %build_cflags) $EXTRA_CFLAGS" \
+    --define "build_cflags $CFLAGS" \
     --define "meson_build %{shrink:%{__meson} compile -C %{_vpath_builddir} -j %{_smp_build_ncpus} %{nil}}" \
     --define "meson_install %{shrink:DESTDIR=%{buildroot} %{__meson} install -C %{_vpath_builddir} --no-rebuild --quiet %{nil}}" \
     --define "meson_extra_configure_options -D mode=developer -D b_sanitize=${SANITIZERS:-none}" \