From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dyFVg1qcFz3320 for ; Fri, 23 Jan 2026 11:06:35 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dyFVb5hhqz2xRF for ; Fri, 23 Jan 2026 11:06:31 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dyFVb1pLBz2pH; Fri, 23 Jan 2026 11:06:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1769166391; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eUUVbZ6dMiuAWdVRhLG6KOiszfQFowNO79yFWvNahAc=; b=O4yhhrrc17uTfXqSFoM1hO9FIGzeEbub6sFyywjMB8efFYiLmeDYdyGURh1h8tjbzVMMJs gO2Gg4SxyVRfDXYhdggfYSqhPTAa+9ecC4mzOWHz/w5fTcfJBkL5bLszube7kX47jXfSoV goHh5TOsoPmT2Tprkb8o/evbZmAGd9D5E85xtETqLspVGQyNPbpm4o6LSgxDqgIDW/UTfe KlTeTMmX9562XYWXIhDwFNJ1haWkFpw0XsXZ9sZjRBzR+RVtS/1I//VGVJWD7L3UCrueIM GtPmkOiAOZqnDg9ISrnoAptvCXKV594tOAQx+jE55grZumsrswXBswX2kwIm6Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1769166391; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eUUVbZ6dMiuAWdVRhLG6KOiszfQFowNO79yFWvNahAc=; b=jj7gvuWImG8O+fXBiRDACeKzBwsGFNMvwaM50P2lwZc6BzjI4qR+CGfnY8BXRCVujI6A8e gGJebEYIcqkmGLBg== Message-ID: <0772cd37-21e8-45c0-9543-957c4688b56d@ipfire.org> Date: Fri, 23 Jan 2026 12:06:30 +0100 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: Updating rust and eco system To: Michael Tremer References: <02AF1D50-1E51-48DE-A5EE-D89C89B3B34E@ipfire.org> Content-Language: en-GB Cc: "IPFire: Development-List" From: Adolf Belka In-Reply-To: <02AF1D50-1E51-48DE-A5EE-D89C89B3B34E@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi Michael, On 23/01/2026 11:31, Michael Tremer wrote: > Hello Stefan, > Hello list, > > Thank you for looking at this. Of course it is very important that we are able to stay on the latest version of Suricata. > > I have merged your monster of a patch so that we can move on for now, but I have a couple of bigger questions that we all should have a look at: > > Adolf has in the past spent a lot of time on updating Rust. This is all tapping into Python - or rather python-cryptography - having some Rust code that has further dependencies. In essence, it has been a huge headache to update this. Maybe Adolf even has some other words for this all. My words on this are that I have now tried multiple times to get a new python update built. Each time I have done it a bit different but the end result has been the same and that is that python-cryptography (which requires rust modules to be built) ends up requiring python-maturin that requires more rust modules but at the end of this the python-cryptography fails to find the built rust modules. I have been stuck at this last point so many times that I have realised that I am finding lots of reasons not to go and work on the python update. That is not a good position and also python has now moved from 3.13 to 3.14 so things are moving away from me. I have come to the conclusion that someone else, more capable than me needs to have a go at the python update, so I am giving up on it but will continue working on other things. > > Just building cbindgen has required a further ~98 Rust crates to be packaged. Often we have the same crate in different versions because other crates have pinned a specific version. In total, we currently have ~790 packages in IPFire. Out of those, there are 202 packages in the rust-* namespace. That is pretty much a quarter of the distribution. Although not a lot in size, this is a considerable maintenance burden. > > ClamAV and Suricata have (recently?) started to bundle all their Rust dependencies with their release tarballs. Although this is not a good thing for many other reasons, it will move the onus onto the upstream projects to provide whatever they need. If their dependencies (and the dependencies of their dependencies) explode, this is not really our problem any more as well as any supply chain problems. Great - within reason. > > That leaves us with only very few packages that would actually require any external Rust crates (Suricata is even configured to *exclusively* use their bundled crates): cbindgen as a new thing, python-cryptography, anything else? We might actually only need a fraction of the Rust crates that we currently have as the only packages that may actually tap into our locally built repository are only those two. Unfortunately there is the addon oci-python-sdk that uses python-cryptography. > > Is anyone happy to give this all a try and cleanup any old Rust deps? That way, I hope we will have a much smoother ride moving forward with a Python update. I can take the current status, before Stefan's patches, and see how many existing rust modules can be removed. Anything that can be removed is a step forward. I think a problem moving forward is that more python modules are ending up being a combination of python and rust as the cryptography and maturin modules have already done. I have also seen a lot of rust modules covering the same stuff as covered by python modules. So the future I think looks like it will continue to be very frustrating. Regards, Adolf. > > All the best, > -Michael > >> On 22 Jan 2026, at 17:38, Stefan Schantl wrote: >> >> Hello list followers, >> >> I'm currently updating rust and affected modules. >> >> This happends mainly because I'm trying to fix the "suricata cache >> grows infinite" problem, which a lot of people are affected. >> >> To archive this, I ported the patches from suricata main development >> branch to our used suricata version (8.0.3). >> >> To perform a full build, a new tool called cbindgen - which is a rust >> to c bindings generator, is required. >> >> Sadly this tool is also written in rust and requires some new >> dependencies and a more up to date rust compiler. >> >> I hope to send a patchset for all this very soon to the mailing list. >> >> Best regards, >> >> -Stefan >> >> > >