I wanted to enable hardening flags in the debian build (I guess other distros will want to do the same); I realized this is made more difficult by the fact that we don't handle CPPFLAGS in our build system. Well, if it makes us feel any better, CMake had (has?) the same bug.