Build launcher with older version of debian to limit glibc version re…

…quired

Doing this allows eclipse launcher to run on older Linux installs than
the just the most recent versions. In particular this is important to
ensure users who do check for updates end up with a still working
eclipse launcher.

In addition, this commit introduces a check in the build process that
the built eclipse/eclipse.so only contains the expected sets of
dependencies.

The x86_64 PERMITTED_GLIBC_VERSION value is based on what Eclipse 4.34
used and what is now achieved again with this commit.

The check_dependencies.sh script was derived from work I did on CDT
[here](/scratch/eclipse/src/cdt/org.eclipse.cdt/releng/scripts/check_glibc_dependencies.sh)

Requires eclipse-platform/eclipse.platform.releng.aggregator#2802
Fixes #830

Jenkinsfile

@@ -17,7 +17,7 @@ def runOnNativeBuildAgent(String platform, Closure body) {
 	def final nativeBuildStageName = 'Perform native launcher build'
 	if (platform == 'gtk.linux.x86_64') {
 		podTemplate(inheritFrom: 'basic' /* inherit general configuration */, containers: [
-			containerTemplate(name: 'launcherbuild', image: 'eclipse/platformreleng-debian-swtnativebuild:12',
+			containerTemplate(name: 'launcherbuild', image: 'eclipse/platformreleng-debian-swtgtk3nativebuild:10',
 				resourceRequestCpu:'1000m', resourceRequestMemory:'512Mi',
 				resourceLimitCpu:'2000m', resourceLimitMemory:'4096Mi',
 				alwaysPullImage: true, command: 'cat', ttyEnabled: true)
@@ -219,7 +219,7 @@ pipeline {
 									withEnv(["JAVA_HOME=${WORKSPACE}/jdk.resources", "EXE_OUTPUT_DIR=${WORKSPACE}/libs", "LIB_OUTPUT_DIR=${WORKSPACE}/libs"]) {
 										dir(ws) {
 											if (isUnix()) {
-												sh "sh build.sh -ws ${ws} -os ${os} -arch ${arch} install"
+												sh "sh build.sh -ws ${ws} -os ${os} -arch ${arch} checklibs install"
 											} else {
 												bat "cmd /c build.bat -ws ${ws} -os ${os} -arch ${arch} install"
 											}

features/org.eclipse.equinox.executable.feature/library/cocoa/make_cocoa.mak

@@ -85,6 +85,9 @@ $(EXEC): $(MAIN_OBJS) $(COMMON_OBJS)
 $(DLL): $(DLL_OBJS) $(COMMON_OBJS)
 	$(CC) -bundle -o $(DLL) $(ARCHS) $(DLL_OBJS) $(COMMON_OBJS) $(LIBS)
 
+# Are there equivalent checks to what is in make_linux.mk to do for macOS?
+checklibs: all
+
 install: all
 	$(info Install into: EXE_OUTPUT_DIR:$(EXE_OUTPUT_DIR) LIB_OUTPUT_DIR:$(LIB_OUTPUT_DIR))
 	mkdir -p $(EXE_OUTPUT_DIR)

features/org.eclipse.equinox.executable.feature/library/gtk/check_dependencies.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+###############################################################################
+# Copyright (c) 2020, 2025 Kichwa Coders Canada Inc and others.
+#
+# This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License 2.0
+# which accompanies this distribution, and is available at
+# https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+###############################################################################
+
+set -eu
+set -o pipefail
+
+SCRIPT=$( basename "${BASH_SOURCE[0]}" )
+
+###
+# Check that executable/so ${FILE}
+# use glibc symbols no greater than ${ALLOWED_GLIBC_VERSION} and depend on
+# no libs other than ${ALLOWED_LIBS}
+FILE=$1; shift
+ALLOWED_GLIBC_VERSION=$1; shift
+ALLOWED_LIBS="$@"; shift
+
+# Check for permitted libraries using `readelf -d` looking for shared
+# libraries that are listed as needed. e.g. lines like:
+#  0x0000000000000001 (NEEDED)             Shared library: [libpthread.so.0]
+readelf -d ${FILE} | grep -E '\(NEEDED\)' | while read needed; do
+    needed=${needed//*Shared library: [/}
+    needed=${needed//]*/}
+    if [[ ! " ${ALLOWED_LIBS} " =~ " ${needed} " ]]; then
+        echo "ERROR: $FILE has illegal dependency of ${needed}"
+        exit 1
+    fi
+done
+
+# The way the version check is done is that all symbol version info is extracted
+# from relocations match @GLIBC_*, the versions are sorted with the max
+# allowed version added to the list too. And then we check the last entry in
+# the list to make sure it is == to max allowed version.
+objdump -R ${FILE} | grep @GLIBC_ | while read version; do
+    echo ${version//*@GLIBC_}
+done > /tmp/version_check
+echo ${ALLOWED_GLIBC_VERSION} >> /tmp/version_check
+max_version_in_use=$(cat /tmp/version_check | sort --unique --version-sort | tail -n1)
+if [ "$max_version_in_use" != "$ALLOWED_GLIBC_VERSION" ]; then
+    echo "ERROR: $FILE has dependency on glibc greater than allowed version of ${ALLOWED_GLIBC_VERSION} for at least the following symbols"
+    # This only lists greatest version number symbols
+    objdump -R ${FILE} | grep @GLIBC_${max_version_in_use}
+    exit 1
+fi

features/org.eclipse.equinox.executable.feature/library/gtk/make_linux.mak

@@ -43,6 +43,20 @@ JAVA_HOME ?= $(shell readlink -f /usr/bin/java | sed "s:jre/::" | sed "s:bin/jav
 PROGRAM_OUTPUT ?= eclipse
 PROGRAM_LIBRARY = $(PROGRAM_OUTPUT)_$(LIB_VERSION).so
 
+# Permitted dependencies and glibc versions
+# This does not include libraries that are dynamically loaded with dlopen,
+# like all the gtk libraries. The purpose of this list, and the version
+# limit on glibc is to ensure eclipse launcher will be able to start
+# on the widest range on Linuxes.
+# All other error handling regarding missing/problematic libraries
+# can be done at runtime.
+PERMITTED_LIBRARIES=libc.so.6 libpthread.so.0 libdl.so.2
+ifeq ($(DEFAULT_OS_ARCH),x86_64)
+PERMITTED_GLIBC_VERSION=2.7
+else
+PERMITTED_GLIBC_VERSION=2.31
+endif
+
 # 64 bit specific flag:
 ifeq ($(M_CFLAGS),)
 ifeq ($(DEFAULT_OS_ARCH),x86_64)
@@ -133,6 +147,11 @@ $(DLL): $(DLL_OBJS) $(COMMON_OBJS)
 	$(info Linking and generating: $(DLL))
 	$(CC) $(LFLAGS) -o $(DLL) $(DLL_OBJS) $(COMMON_OBJS) $(LIBS)
 
+checklibs: all
+	$(info Verifying $(EXEC) $(DLL) have permitted dependencies)
+	./check_dependencies.sh $(EXEC) $(PERMITTED_GLIBC_VERSION) $(PERMITTED_LIBRARIES)
+	./check_dependencies.sh $(DLL) $(PERMITTED_GLIBC_VERSION) $(PERMITTED_LIBRARIES)
+
 install: all
 	$(info Install into: EXE_OUTPUT_DIR:$(EXE_OUTPUT_DIR) LIB_OUTPUT_DIR:$(LIB_OUTPUT_DIR))
 	mkdir -p $(EXE_OUTPUT_DIR)