* Updating rust and eco system
@ 2026-01-22 17:38 Stefan Schantl
2026-01-23 5:26 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Stefan Schantl
2026-01-23 10:31 ` Updating rust and eco system Michael Tremer
0 siblings, 2 replies; 17+ messages in thread
From: Stefan Schantl @ 2026-01-22 17:38 UTC (permalink / raw)
To: development
Hello list followers,
I'm currently updating rust and affected modules.
This happends mainly because I'm trying to fix the "suricata cache
grows infinite" problem, which a lot of people are affected.
To archive this, I ported the patches from suricata main development
branch to our used suricata version (8.0.3).
To perform a full build, a new tool called cbindgen - which is a rust
to c bindings generator, is required.
Sadly this tool is also written in rust and requires some new
dependencies and a more up to date rust compiler.
I hope to send a patchset for all this very soon to the mailing list.
Best regards,
-Stefan
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 0/3] suricata: Add ability to purge the sgh cache
2026-01-22 17:38 Updating rust and eco system Stefan Schantl
@ 2026-01-23 5:26 ` Stefan Schantl
2026-01-23 5:26 ` [PATCH 1/3] suricata: Add upstream patch to purge sgh-mpm-caches Stefan Schantl
` (2 more replies)
2026-01-23 10:31 ` Updating rust and eco system Michael Tremer
1 sibling, 3 replies; 17+ messages in thread
From: Stefan Schantl @ 2026-01-23 5:26 UTC (permalink / raw)
To: development; +Cc: Stefan Schantl
Good morning list followers,
I've recently finished building and testing the patched suricata version
on my productive system.
When starting the patched suricata or doing a reload operation, all the
sgh cache files which are older than 7 days have been removed
successfully.
So for me this changes can be shipped to a bigger group of testers.
Best regards,
-Stefan
Stefan Schantl (3):
suricata: Add upstream patch to purge sgh-mpm-caches
rust: Update to 1.92.0
cbindgen: New package
config/rootfiles/common/aarch64/rust | 130 +-
config/rootfiles/common/cbindgen | 1 +
config/rootfiles/common/riscv64/rust | 109 +-
config/rootfiles/common/rust-adler2 | 15 +
config/rootfiles/common/rust-anstream | 22 +
config/rootfiles/common/rust-anstyle | 15 +
config/rootfiles/common/rust-anstyle-parse | 16 +
config/rootfiles/common/rust-anstyle-query | 11 +
config/rootfiles/common/rust-anstyle-wincon | 14 +
config/rootfiles/common/rust-anyhow | 56 +
config/rootfiles/common/rust-auditable-serde | 9 +
config/rootfiles/common/rust-bitflags | 63 +
config/rootfiles/common/rust-clap | 154 ++
config/rootfiles/common/rust-clap_builder | 71 +
config/rootfiles/common/rust-clap_lex | 9 +
config/rootfiles/common/rust-colorchoice | 8 +
config/rootfiles/common/rust-crc32fast | 19 +
config/rootfiles/common/rust-displaydoc | 42 +
config/rootfiles/common/rust-errno | 16 +
config/rootfiles/common/rust-fastrand | 16 +
config/rootfiles/common/rust-flate2 | 71 +
config/rootfiles/common/rust-form_urlencoded | 8 +
config/rootfiles/common/rust-getrandom | 85 +-
config/rootfiles/common/rust-getrandom-0.2.4 | 38 +
config/rootfiles/common/rust-heck | 17 +
config/rootfiles/common/rust-humantime | 16 +
config/rootfiles/common/rust-icu_collections | 85 ++
config/rootfiles/common/rust-icu_locale_core | 105 ++
config/rootfiles/common/rust-icu_normalizer | 42 +
.../rootfiles/common/rust-icu_normalizer_data | 17 +
config/rootfiles/common/rust-icu_properties | 19 +
.../rootfiles/common/rust-icu_properties_data | 139 ++
config/rootfiles/common/rust-icu_provider | 29 +
config/rootfiles/common/rust-id-arena | 14 +
config/rootfiles/common/rust-idna | 24 +
config/rootfiles/common/rust-idna_adapter | 9 +
.../common/rust-is_terminal_polyfill | 8 +
config/rootfiles/common/rust-leb128fmt | 9 +
config/rootfiles/common/rust-libc | 801 ++++++----
config/rootfiles/common/rust-libc-0.2.108 | 277 ++++
config/rootfiles/common/rust-linux-raw-sys | 410 +++++
config/rootfiles/common/rust-litemap | 27 +
config/rootfiles/common/rust-log | 47 +-
config/rootfiles/common/rust-log-0.4.14 | 22 +
config/rootfiles/common/rust-miniz_oxide | 24 +
config/rootfiles/common/rust-once_cell | 55 +-
config/rootfiles/common/rust-once_cell-1.9.0 | 24 +
.../rootfiles/common/rust-once_cell_polyfill | 10 +
config/rootfiles/common/rust-percent-encoding | 9 +
config/rootfiles/common/rust-potential_utf | 10 +
config/rootfiles/common/rust-prettyplease | 39 +
config/rootfiles/common/rust-r-efi | 71 +
config/rootfiles/common/rust-rustix | 403 +++++
config/rootfiles/common/rust-semver | 42 +-
config/rootfiles/common/rust-semver-0.9.0 | 15 +
config/rootfiles/common/rust-semver-parser | 33 +-
.../rootfiles/common/rust-semver-parser-0.7.0 | 12 +
config/rootfiles/common/rust-serde | 71 +-
config/rootfiles/common/rust-serde-1.0.216 | 32 +
config/rootfiles/common/rust-serde_core | 31 +
config/rootfiles/common/rust-serde_derive | 67 +-
.../common/rust-serde_derive-1.0.216 | 28 +
config/rootfiles/common/rust-simd-adler32 | 19 +
config/rootfiles/common/rust-smallvec | 40 +-
config/rootfiles/common/rust-smallvec-1.8.0 | 18 +
config/rootfiles/common/rust-spdx | 605 ++++++++
.../rootfiles/common/rust-stable_deref_trait | 18 +-
config/rootfiles/common/rust-strsim | 14 +
config/rootfiles/common/rust-syn | 225 +--
config/rootfiles/common/rust-syn-2.0.90 | 111 ++
config/rootfiles/common/rust-synstructure | 16 +-
config/rootfiles/common/rust-tempfile | 32 +
config/rootfiles/common/rust-tinystr | 25 +
config/rootfiles/common/rust-topological-sort | 9 +
config/rootfiles/common/rust-unicode-xid | 30 +-
.../rootfiles/common/rust-unicode-xid-0.2.1 | 14 +
config/rootfiles/common/rust-url | 20 +
config/rootfiles/common/rust-utf16_iter | 12 +
config/rootfiles/common/rust-utf8_iter | 12 +
config/rootfiles/common/rust-utf8parse | 12 +
config/rootfiles/common/rust-wasip2 | 30 +
config/rootfiles/common/rust-wasm-encoder | 45 +
config/rootfiles/common/rust-wasm-metadata | 31 +
config/rootfiles/common/rust-wasmparser | 79 +
config/rootfiles/common/rust-windows-link | 9 +
config/rootfiles/common/rust-windows-sys | 505 +++++++
config/rootfiles/common/rust-wit-bindgen | 42 +
config/rootfiles/common/rust-wit-bindgen-core | 15 +
config/rootfiles/common/rust-wit-bindgen-rust | 21 +
.../common/rust-wit-bindgen-rust-macro | 10 +
config/rootfiles/common/rust-wit-component | 1006 +++++++++++++
config/rootfiles/common/rust-wit-parser | 621 ++++++++
config/rootfiles/common/rust-write16 | 10 +
config/rootfiles/common/rust-writeable | 23 +
config/rootfiles/common/rust-yoke | 18 +
config/rootfiles/common/rust-yoke-derive | 11 +
config/rootfiles/common/rust-zerofrom | 9 +
config/rootfiles/common/rust-zerofrom-derive | 11 +
config/rootfiles/common/rust-zerotrie | 44 +
config/rootfiles/common/rust-zerovec | 69 +
config/rootfiles/common/rust-zerovec-derive | 17 +
config/rootfiles/common/x86_64/rust | 82 +-
config/suricata/suricata.yaml | 1 +
lfs/cbindgen | 80 +
lfs/rust | 13 +-
lfs/rust-adler2 | 81 +
lfs/rust-anstream | 81 +
lfs/rust-anstyle | 81 +
lfs/rust-anstyle-parse | 81 +
lfs/rust-anstyle-query | 81 +
lfs/rust-anstyle-wincon | 81 +
lfs/rust-anyhow | 81 +
lfs/rust-auditable-serde | 81 +
lfs/rust-bitflags | 81 +
lfs/rust-clap | 81 +
lfs/rust-clap_builder | 81 +
lfs/rust-clap_lex | 81 +
lfs/rust-colorchoice | 81 +
lfs/rust-crc32fast | 81 +
lfs/rust-displaydoc | 81 +
lfs/rust-errno | 81 +
lfs/rust-fastrand | 81 +
lfs/rust-flate2 | 81 +
lfs/rust-form_urlencoded | 81 +
lfs/rust-getrandom | 8 +-
lfs/rust-getrandom-0.2.4 | 81 +
lfs/rust-heck | 81 +
lfs/rust-humantime | 81 +
lfs/rust-icu_collections | 81 +
lfs/rust-icu_locale_core | 81 +
lfs/rust-icu_normalizer | 81 +
lfs/rust-icu_normalizer_data | 81 +
lfs/rust-icu_properties | 81 +
lfs/rust-icu_properties_data | 81 +
lfs/rust-icu_provider | 81 +
lfs/rust-id-arena | 81 +
lfs/rust-idna | 81 +
lfs/rust-idna_adapter | 81 +
lfs/rust-is_terminal_polyfill | 81 +
lfs/rust-leb128fmt | 81 +
lfs/rust-libc | 7 +-
lfs/rust-libc-0.2.108 | 80 +
lfs/rust-linux-raw-sys | 81 +
lfs/rust-litemap | 81 +
lfs/rust-log | 12 +-
lfs/rust-log-0.4.14 | 85 ++
lfs/rust-miniz_oxide | 81 +
lfs/rust-once_cell | 12 +-
lfs/rust-once_cell-1.9.0 | 85 ++
lfs/rust-once_cell_polyfill | 81 +
lfs/rust-percent-encoding | 81 +
lfs/rust-potential_utf | 81 +
lfs/rust-prettyplease | 81 +
lfs/rust-r-efi | 81 +
lfs/rust-rustix | 81 +
lfs/rust-semver | 12 +-
lfs/rust-semver-0.9.0 | 85 ++
lfs/rust-semver-parser | 7 +-
lfs/rust-semver-parser-0.7.0 | 80 +
lfs/rust-serde | 4 +-
lfs/rust-serde-1.0.216 | 81 +
lfs/rust-serde_core | 81 +
lfs/rust-serde_derive | 4 +-
lfs/rust-serde_derive-1.0.216 | 81 +
lfs/rust-simd-adler32 | 81 +
lfs/rust-smallvec | 12 +-
lfs/rust-smallvec-1.8.0 | 85 ++
lfs/rust-spdx | 81 +
lfs/rust-stable_deref_trait | 12 +-
lfs/rust-strsim | 81 +
lfs/rust-syn | 4 +-
lfs/rust-syn-2.0.90 | 81 +
lfs/rust-synstructure | 4 +-
lfs/rust-tempfile | 81 +
lfs/rust-tinystr | 81 +
lfs/rust-topological-sort | 81 +
lfs/rust-unicode-xid | 7 +-
lfs/rust-unicode-xid-0.2.1 | 80 +
lfs/rust-url | 81 +
lfs/rust-utf16_iter | 81 +
lfs/rust-utf8_iter | 81 +
lfs/rust-utf8parse | 81 +
lfs/rust-wasip2 | 81 +
lfs/rust-wasm-encoder | 81 +
lfs/rust-wasm-metadata | 81 +
lfs/rust-wasmparser | 81 +
lfs/rust-windows-link | 81 +
lfs/rust-windows-sys | 81 +
lfs/rust-wit-bindgen | 81 +
lfs/rust-wit-bindgen-core | 81 +
lfs/rust-wit-bindgen-rust | 81 +
lfs/rust-wit-bindgen-rust-macro | 81 +
lfs/rust-wit-component | 81 +
lfs/rust-wit-parser | 81 +
lfs/rust-write16 | 81 +
lfs/rust-writeable | 81 +
lfs/rust-yoke | 81 +
lfs/rust-yoke-derive | 81 +
lfs/rust-zerofrom | 81 +
lfs/rust-zerofrom-derive | 81 +
lfs/rust-zerotrie | 81 +
lfs/rust-zerovec | 81 +
lfs/rust-zerovec-derive | 81 +
lfs/suricata | 13 +-
make.sh | 133 +-
...suricata-8.0.3-purge-hyperscan-cache.patch | 1341 +++++++++++++++++
206 files changed, 15762 insertions(+), 853 deletions(-)
create mode 100644 config/rootfiles/common/cbindgen
create mode 100644 config/rootfiles/common/rust-adler2
create mode 100644 config/rootfiles/common/rust-anstream
create mode 100644 config/rootfiles/common/rust-anstyle
create mode 100644 config/rootfiles/common/rust-anstyle-parse
create mode 100644 config/rootfiles/common/rust-anstyle-query
create mode 100644 config/rootfiles/common/rust-anstyle-wincon
create mode 100644 config/rootfiles/common/rust-anyhow
create mode 100644 config/rootfiles/common/rust-auditable-serde
create mode 100644 config/rootfiles/common/rust-bitflags
create mode 100644 config/rootfiles/common/rust-clap
create mode 100644 config/rootfiles/common/rust-clap_builder
create mode 100644 config/rootfiles/common/rust-clap_lex
create mode 100644 config/rootfiles/common/rust-colorchoice
create mode 100644 config/rootfiles/common/rust-crc32fast
create mode 100644 config/rootfiles/common/rust-displaydoc
create mode 100644 config/rootfiles/common/rust-errno
create mode 100644 config/rootfiles/common/rust-fastrand
create mode 100644 config/rootfiles/common/rust-flate2
create mode 100644 config/rootfiles/common/rust-form_urlencoded
create mode 100644 config/rootfiles/common/rust-getrandom-0.2.4
create mode 100644 config/rootfiles/common/rust-heck
create mode 100644 config/rootfiles/common/rust-humantime
create mode 100644 config/rootfiles/common/rust-icu_collections
create mode 100644 config/rootfiles/common/rust-icu_locale_core
create mode 100644 config/rootfiles/common/rust-icu_normalizer
create mode 100644 config/rootfiles/common/rust-icu_normalizer_data
create mode 100644 config/rootfiles/common/rust-icu_properties
create mode 100644 config/rootfiles/common/rust-icu_properties_data
create mode 100644 config/rootfiles/common/rust-icu_provider
create mode 100644 config/rootfiles/common/rust-id-arena
create mode 100644 config/rootfiles/common/rust-idna
create mode 100644 config/rootfiles/common/rust-idna_adapter
create mode 100644 config/rootfiles/common/rust-is_terminal_polyfill
create mode 100644 config/rootfiles/common/rust-leb128fmt
create mode 100644 config/rootfiles/common/rust-libc-0.2.108
create mode 100644 config/rootfiles/common/rust-linux-raw-sys
create mode 100644 config/rootfiles/common/rust-litemap
create mode 100644 config/rootfiles/common/rust-log-0.4.14
create mode 100644 config/rootfiles/common/rust-miniz_oxide
create mode 100644 config/rootfiles/common/rust-once_cell-1.9.0
create mode 100644 config/rootfiles/common/rust-once_cell_polyfill
create mode 100644 config/rootfiles/common/rust-percent-encoding
create mode 100644 config/rootfiles/common/rust-potential_utf
create mode 100644 config/rootfiles/common/rust-prettyplease
create mode 100644 config/rootfiles/common/rust-r-efi
create mode 100644 config/rootfiles/common/rust-rustix
create mode 100644 config/rootfiles/common/rust-semver-0.9.0
create mode 100644 config/rootfiles/common/rust-semver-parser-0.7.0
create mode 100644 config/rootfiles/common/rust-serde-1.0.216
create mode 100644 config/rootfiles/common/rust-serde_core
create mode 100644 config/rootfiles/common/rust-serde_derive-1.0.216
create mode 100644 config/rootfiles/common/rust-simd-adler32
create mode 100644 config/rootfiles/common/rust-smallvec-1.8.0
create mode 100644 config/rootfiles/common/rust-spdx
create mode 100644 config/rootfiles/common/rust-strsim
create mode 100644 config/rootfiles/common/rust-syn-2.0.90
create mode 100644 config/rootfiles/common/rust-tempfile
create mode 100644 config/rootfiles/common/rust-tinystr
create mode 100644 config/rootfiles/common/rust-topological-sort
create mode 100644 config/rootfiles/common/rust-unicode-xid-0.2.1
create mode 100644 config/rootfiles/common/rust-url
create mode 100644 config/rootfiles/common/rust-utf16_iter
create mode 100644 config/rootfiles/common/rust-utf8_iter
create mode 100644 config/rootfiles/common/rust-utf8parse
create mode 100644 config/rootfiles/common/rust-wasip2
create mode 100644 config/rootfiles/common/rust-wasm-encoder
create mode 100644 config/rootfiles/common/rust-wasm-metadata
create mode 100644 config/rootfiles/common/rust-wasmparser
create mode 100644 config/rootfiles/common/rust-windows-link
create mode 100644 config/rootfiles/common/rust-windows-sys
create mode 100644 config/rootfiles/common/rust-wit-bindgen
create mode 100644 config/rootfiles/common/rust-wit-bindgen-core
create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust
create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust-macro
create mode 100644 config/rootfiles/common/rust-wit-component
create mode 100644 config/rootfiles/common/rust-wit-parser
create mode 100644 config/rootfiles/common/rust-write16
create mode 100644 config/rootfiles/common/rust-writeable
create mode 100644 config/rootfiles/common/rust-yoke
create mode 100644 config/rootfiles/common/rust-yoke-derive
create mode 100644 config/rootfiles/common/rust-zerofrom
create mode 100644 config/rootfiles/common/rust-zerofrom-derive
create mode 100644 config/rootfiles/common/rust-zerotrie
create mode 100644 config/rootfiles/common/rust-zerovec
create mode 100644 config/rootfiles/common/rust-zerovec-derive
create mode 100644 lfs/cbindgen
create mode 100644 lfs/rust-adler2
create mode 100644 lfs/rust-anstream
create mode 100644 lfs/rust-anstyle
create mode 100644 lfs/rust-anstyle-parse
create mode 100644 lfs/rust-anstyle-query
create mode 100644 lfs/rust-anstyle-wincon
create mode 100644 lfs/rust-anyhow
create mode 100644 lfs/rust-auditable-serde
create mode 100644 lfs/rust-bitflags
create mode 100644 lfs/rust-clap
create mode 100644 lfs/rust-clap_builder
create mode 100644 lfs/rust-clap_lex
create mode 100644 lfs/rust-colorchoice
create mode 100644 lfs/rust-crc32fast
create mode 100644 lfs/rust-displaydoc
create mode 100644 lfs/rust-errno
create mode 100644 lfs/rust-fastrand
create mode 100644 lfs/rust-flate2
create mode 100644 lfs/rust-form_urlencoded
create mode 100644 lfs/rust-getrandom-0.2.4
create mode 100644 lfs/rust-heck
create mode 100644 lfs/rust-humantime
create mode 100644 lfs/rust-icu_collections
create mode 100644 lfs/rust-icu_locale_core
create mode 100644 lfs/rust-icu_normalizer
create mode 100644 lfs/rust-icu_normalizer_data
create mode 100644 lfs/rust-icu_properties
create mode 100644 lfs/rust-icu_properties_data
create mode 100644 lfs/rust-icu_provider
create mode 100644 lfs/rust-id-arena
create mode 100644 lfs/rust-idna
create mode 100644 lfs/rust-idna_adapter
create mode 100644 lfs/rust-is_terminal_polyfill
create mode 100644 lfs/rust-leb128fmt
create mode 100644 lfs/rust-libc-0.2.108
create mode 100644 lfs/rust-linux-raw-sys
create mode 100644 lfs/rust-litemap
create mode 100644 lfs/rust-log-0.4.14
create mode 100644 lfs/rust-miniz_oxide
create mode 100644 lfs/rust-once_cell-1.9.0
create mode 100644 lfs/rust-once_cell_polyfill
create mode 100644 lfs/rust-percent-encoding
create mode 100644 lfs/rust-potential_utf
create mode 100644 lfs/rust-prettyplease
create mode 100644 lfs/rust-r-efi
create mode 100644 lfs/rust-rustix
create mode 100644 lfs/rust-semver-0.9.0
create mode 100644 lfs/rust-semver-parser-0.7.0
create mode 100644 lfs/rust-serde-1.0.216
create mode 100644 lfs/rust-serde_core
create mode 100644 lfs/rust-serde_derive-1.0.216
create mode 100644 lfs/rust-simd-adler32
create mode 100644 lfs/rust-smallvec-1.8.0
create mode 100644 lfs/rust-spdx
create mode 100644 lfs/rust-strsim
create mode 100644 lfs/rust-syn-2.0.90
create mode 100644 lfs/rust-tempfile
create mode 100644 lfs/rust-tinystr
create mode 100644 lfs/rust-topological-sort
create mode 100644 lfs/rust-unicode-xid-0.2.1
create mode 100644 lfs/rust-url
create mode 100644 lfs/rust-utf16_iter
create mode 100644 lfs/rust-utf8_iter
create mode 100644 lfs/rust-utf8parse
create mode 100644 lfs/rust-wasip2
create mode 100644 lfs/rust-wasm-encoder
create mode 100644 lfs/rust-wasm-metadata
create mode 100644 lfs/rust-wasmparser
create mode 100644 lfs/rust-windows-link
create mode 100644 lfs/rust-windows-sys
create mode 100644 lfs/rust-wit-bindgen
create mode 100644 lfs/rust-wit-bindgen-core
create mode 100644 lfs/rust-wit-bindgen-rust
create mode 100644 lfs/rust-wit-bindgen-rust-macro
create mode 100644 lfs/rust-wit-component
create mode 100644 lfs/rust-wit-parser
create mode 100644 lfs/rust-write16
create mode 100644 lfs/rust-writeable
create mode 100644 lfs/rust-yoke
create mode 100644 lfs/rust-yoke-derive
create mode 100644 lfs/rust-zerofrom
create mode 100644 lfs/rust-zerofrom-derive
create mode 100644 lfs/rust-zerotrie
create mode 100644 lfs/rust-zerovec
create mode 100644 lfs/rust-zerovec-derive
create mode 100644 src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
--
2.47.3
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 1/3] suricata: Add upstream patch to purge sgh-mpm-caches
2026-01-23 5:26 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Stefan Schantl
@ 2026-01-23 5:26 ` Stefan Schantl
2026-01-23 5:26 ` [PATCH 2/3] rust: Update to 1.92.0 Stefan Schantl
2026-01-23 10:09 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Michael Tremer
2 siblings, 0 replies; 17+ messages in thread
From: Stefan Schantl @ 2026-01-23 5:26 UTC (permalink / raw)
To: development; +Cc: Stefan Schantl
This patch is collection of the recently merged upstream patches to
allow purging the sgh-mpm-cache (hyperscan) after a specified amount of
time. (https://github.com/OISF/suricata/pull/14630)
I've set this to the upstreams example default of 7 days for now.
Fixes #13926.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/suricata/suricata.yaml | 1 +
lfs/suricata | 13 +-
...suricata-8.0.3-purge-hyperscan-cache.patch | 1341 +++++++++++++++++
3 files changed, 1354 insertions(+), 1 deletion(-)
create mode 100644 src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index dd3492eb6..e91c003e7 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -1534,6 +1534,7 @@ detect:
# Cache MPM contexts to the disk to avoid rule compilation at the startup.
# Cache files are created in the standard library directory.
sgh-mpm-caching: yes
+ sgh-mpm-caching-max-age: 7d
sgh-mpm-caching-path: /var/cache/suricata/sgh
# inspection-recursion-limit: 3000
# maximum number of times a tx will get logged for rules without app-layer keywords
diff --git a/lfs/suricata b/lfs/suricata
index c483aef0a..a20450c31 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2026 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -71,6 +71,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-8.0.0-disable-sid-2210059.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
+
+ # Temporary workaround because the suricata 8.0.3 tarball does not contain the rust source as trusted vendor
+ # for humantime and the module is required since applying the purge-hyperscan-cache patchfile.
+ #
+ # So we have to copy our installed rust module into the desired directory here.
+ cd $(DIR_APP) && cp -avf /usr/share/cargo/registry/humantime* $(DIR_APP)/rust/vendor
+
cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--sysconfdir=/etc \
@@ -86,6 +94,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-rust \
--enable-unix-socket
+ # Drop the Cargo.lock file before building.
+ cd $(DIR_APP) && rm -rvf $(DIR_APP)/rust/Cargo.lock
+
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
cd $(DIR_APP) && make install-conf
diff --git a/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch b/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
new file mode 100644
index 000000000..14f36985d
--- /dev/null
+++ b/src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
@@ -0,0 +1,1341 @@
+commit 47fc78eeae9a365b4d36609154642ca72c9cb9fb
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Mon Sep 15 11:40:30 2025 +0200
+
+ hs: update the file description
+
+diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c
+index 2e58676fa..fd54cf306 100644
+--- a/src/util-mpm-hs-cache.c
++++ b/src/util-mpm-hs-cache.c
+@@ -20,7 +20,7 @@
+ *
+ * \author Lukas Sismis <lsismis@oisf.net>
+ *
+- * MPM pattern matcher that calls the Hyperscan regex matcher.
++ * Hyperscan cache helper utilities for MPM cache files.
+ */
+
+ #include "suricata-common.h"
+commit 2a313ff429eb49be5e4c3b9dadfca127fa64c5fe
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Thu Oct 30 12:01:33 2025 +0100
+
+ hs: reduce cache filename size to max file limit
+
+diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c
+index fd54cf306..1e5001ba0 100644
+--- a/src/util-mpm-hs-cache.c
++++ b/src/util-mpm-hs-cache.c
+@@ -41,7 +41,7 @@ static const char *HSCacheConstructFPath(const char *folder_path, uint64_t hs_db
+ static char hash_file_path[PATH_MAX];
+
+ char hash_file_path_suffix[] = "_v1.hs";
+- char filename[PATH_MAX];
++ char filename[NAME_MAX];
+ uint64_t r = snprintf(
+ filename, sizeof(filename), "%020" PRIu64 "%s", hs_db_hash, hash_file_path_suffix);
+ if (r != (uint64_t)(20 + strlen(hash_file_path_suffix)))
+commit c282880174875fab6bcc62a2a60c85b58dfb0d32
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Thu Oct 30 12:04:35 2025 +0100
+
+ hs: change hash in the cache name to SHA256
+
+diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c
+index 1e5001ba0..83bbee59c 100644
+--- a/src/util-mpm-hs-cache.c
++++ b/src/util-mpm-hs-cache.c
+@@ -34,17 +34,17 @@
+
+ #ifdef BUILD_HYPERSCAN
+
++#include "rust.h"
+ #include <hs.h>
+
+-static const char *HSCacheConstructFPath(const char *folder_path, uint64_t hs_db_hash)
++static const char *HSCacheConstructFPath(const char *folder_path, const char *hs_db_hash)
+ {
+ static char hash_file_path[PATH_MAX];
+
+ char hash_file_path_suffix[] = "_v1.hs";
+ char filename[NAME_MAX];
+- uint64_t r = snprintf(
+- filename, sizeof(filename), "%020" PRIu64 "%s", hs_db_hash, hash_file_path_suffix);
+- if (r != (uint64_t)(20 + strlen(hash_file_path_suffix)))
++ uint64_t r = snprintf(filename, sizeof(filename), "%s%s", hs_db_hash, hash_file_path_suffix);
++ if (r != (uint64_t)(strlen(hs_db_hash) + strlen(hash_file_path_suffix)))
+ return NULL;
+
+ r = PathMerge(hash_file_path, sizeof(hash_file_path), folder_path, filename);
+@@ -104,22 +104,22 @@ static char *HSReadStream(const char *file_path, size_t *buffer_sz)
+ * Function to hash the searched pattern, only things relevant to Hyperscan
+ * compilation are hashed.
+ */
+-static void SCHSCachePatternHash(const SCHSPattern *p, uint32_t *h1, uint32_t *h2)
++static void SCHSCachePatternHash(const SCHSPattern *p, SCSha256 *sha256)
+ {
+ BUG_ON(p->original_pat == NULL);
+ BUG_ON(p->sids == NULL);
+
+- hashlittle2_safe(&p->len, sizeof(p->len), h1, h2);
+- hashlittle2_safe(&p->flags, sizeof(p->flags), h1, h2);
+- hashlittle2_safe(p->original_pat, p->len, h1, h2);
+- hashlittle2_safe(&p->id, sizeof(p->id), h1, h2);
+- hashlittle2_safe(&p->offset, sizeof(p->offset), h1, h2);
+- hashlittle2_safe(&p->depth, sizeof(p->depth), h1, h2);
+- hashlittle2_safe(&p->sids_size, sizeof(p->sids_size), h1, h2);
+- hashlittle2_safe(p->sids, p->sids_size * sizeof(SigIntId), h1, h2);
++ SCSha256Update(sha256, (const uint8_t *)&p->len, sizeof(p->len));
++ SCSha256Update(sha256, (const uint8_t *)&p->flags, sizeof(p->flags));
++ SCSha256Update(sha256, (const uint8_t *)p->original_pat, p->len);
++ SCSha256Update(sha256, (const uint8_t *)&p->id, sizeof(p->id));
++ SCSha256Update(sha256, (const uint8_t *)&p->offset, sizeof(p->offset));
++ SCSha256Update(sha256, (const uint8_t *)&p->depth, sizeof(p->depth));
++ SCSha256Update(sha256, (const uint8_t *)&p->sids_size, sizeof(p->sids_size));
++ SCSha256Update(sha256, (const uint8_t *)p->sids, p->sids_size * sizeof(SigIntId));
+ }
+
+-int HSLoadCache(hs_database_t **hs_db, uint64_t hs_db_hash, const char *dirpath)
++int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char *dirpath)
+ {
+ const char *hash_file_static = HSCacheConstructFPath(dirpath, hs_db_hash);
+ if (hash_file_static == NULL)
+@@ -161,7 +161,7 @@ freeup:
+ return ret;
+ }
+
+-static int HSSaveCache(hs_database_t *hs_db, uint64_t hs_db_hash, const char *dstpath)
++static int HSSaveCache(hs_database_t *hs_db, const char *hs_db_hash, const char *dstpath)
+ {
+ static bool notified = false;
+ char *db_stream = NULL;
+@@ -220,14 +220,26 @@ cleanup:
+ return ret;
+ }
+
+-uint64_t HSHashDb(const PatternDatabase *pd)
++int HSHashDb(const PatternDatabase *pd, char *hash, size_t hash_len)
+ {
+- uint32_t hash[2] = { 0 };
+- hashword2(&pd->pattern_cnt, 1, &hash[0], &hash[1]);
++ SCSha256 *hasher = SCSha256New();
++ if (hasher == NULL) {
++ SCLogDebug("sha256 hashing failed");
++ return -1;
++ }
++ SCSha256Update(hasher, (const uint8_t *)&pd->pattern_cnt, sizeof(pd->pattern_cnt));
+ for (uint32_t i = 0; i < pd->pattern_cnt; i++) {
+- SCHSCachePatternHash(pd->parray[i], &hash[0], &hash[1]);
++ SCHSCachePatternHash(pd->parray[i], hasher);
++ }
++
++ if (!SCSha256FinalizeToHex(hasher, hash, hash_len)) {
++ hasher = NULL;
++ SCLogDebug("sha256 hashing failed");
++ return -1;
+ }
+- return ((uint64_t)hash[1] << 32) | hash[0];
++
++ hasher = NULL;
++ return 0;
+ }
+
+ void HSSaveCacheIterator(void *data, void *aux)
+@@ -244,7 +256,11 @@ void HSSaveCacheIterator(void *data, void *aux)
+ return;
+ }
+
+- if (HSSaveCache(pd->hs_db, HSHashDb(pd), iter_data->cache_path) == 0) {
++ char hs_db_hash[SC_SHA256_LEN * 2 + 1]; // * 2 for hex +1 for nul terminator
++ if (HSHashDb(pd, hs_db_hash, ARRAY_SIZE(hs_db_hash)) != 0) {
++ return;
++ }
++ if (HSSaveCache(pd->hs_db, hs_db_hash, iter_data->cache_path) == 0) {
+ pd->cached = true; // for rule reloads
+ iter_data->pd_stats->hs_dbs_cache_saved_cnt++;
+ }
+diff --git a/src/util-mpm-hs-cache.h b/src/util-mpm-hs-cache.h
+index 237762d5a..225c5001a 100644
+--- a/src/util-mpm-hs-cache.h
++++ b/src/util-mpm-hs-cache.h
+@@ -35,8 +35,8 @@ struct HsIteratorData {
+ const char *cache_path;
+ };
+
+-int HSLoadCache(hs_database_t **hs_db, uint64_t hs_db_hash, const char *dirpath);
+-uint64_t HSHashDb(const PatternDatabase *pd);
++int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char *dirpath);
++int HSHashDb(const PatternDatabase *pd, char *hash, size_t hash_len);
+ void HSSaveCacheIterator(void *data, void *aux);
+ #endif /* BUILD_HYPERSCAN */
+
+diff --git a/src/util-mpm-hs.c b/src/util-mpm-hs.c
+index dde5bf36a..ad7178eb8 100644
+--- a/src/util-mpm-hs.c
++++ b/src/util-mpm-hs.c
+@@ -683,8 +683,11 @@ static int PatternDatabaseGetCached(
+ return 0;
+ } else if (cache_dir_path) {
+ pd_cached = *pd;
+- uint64_t db_lookup_hash = HSHashDb(pd_cached);
+- if (HSLoadCache(&pd_cached->hs_db, db_lookup_hash, cache_dir_path) == 0) {
++ char hs_db_hash[SC_SHA256_LEN * 2 + 1]; // * 2 for hex +1 for nul terminator
++ if (HSHashDb(pd_cached, hs_db_hash, ARRAY_SIZE(hs_db_hash)) != 0) {
++ return -1;
++ }
++ if (HSLoadCache(&pd_cached->hs_db, hs_db_hash, cache_dir_path) == 0) {
+ pd_cached->ref_cnt = 1;
+ pd_cached->cached = true;
+ if (HSScratchAlloc(pd_cached->hs_db) != 0) {
+commit 3e4fdb2118bfcb8b2644944daded2d8c67420499
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Sat Sep 13 11:23:16 2025 +0200
+
+ misc: time unit parsing function
+
+diff --git a/rust/Cargo.lock.in b/rust/Cargo.lock.in
+index d296a196e..d47cdd197 100644
+--- a/rust/Cargo.lock.in
++++ b/rust/Cargo.lock.in
+@@ -688,6 +688,12 @@ dependencies = [
+ "windows-sys 0.52.0",
+ ]
+
++[[package]]
++name = "humantime"
++version = "2.3.0"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424"
++
+ [[package]]
+ name = "indexmap"
+ version = "2.11.4"
+@@ -1551,6 +1557,7 @@ dependencies = [
+ "flate2",
+ "hex",
+ "hkdf",
++ "humantime",
+ "ipsec-parser",
+ "kerberos-parser",
+ "lazy_static",
+diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in
+index 0fedea33f..22e166062 100644
+--- a/rust/Cargo.toml.in
++++ b/rust/Cargo.toml.in
+@@ -77,6 +77,7 @@ lazy_static = "~1.5.0"
+ base64 = "~0.22.1"
+ bendy = { version = "~0.3.3", default-features = false }
+ asn1-rs = { version = "~0.6.2" }
++humantime = "~2.3.0"
+ ldap-parser = { version = "~0.5.0" }
+ hex = "~0.4.3"
+ psl = "2"
+diff --git a/rust/src/util.rs b/rust/src/util.rs
+index 9d45ae26d..2cb2da17c 100644
+--- a/rust/src/util.rs
++++ b/rust/src/util.rs
+@@ -17,6 +17,7 @@
+
+ //! Utility module.
+
++use std::borrow::Cow;
+ use std::ffi::CStr;
+ use std::os::raw::c_char;
+
+@@ -26,6 +27,8 @@ use nom8::combinator::verify;
+ use nom8::multi::many1_count;
+ use nom8::{AsChar, IResult, Parser};
+
++use humantime::parse_duration;
++
+ #[no_mangle]
+ pub unsafe extern "C" fn SCCheckUtf8(val: *const c_char) -> bool {
+ CStr::from_ptr(val).to_str().is_ok()
+@@ -63,10 +66,56 @@ pub unsafe extern "C" fn SCValidateDomain(input: *const u8, in_len: u32) -> u32
+ return 0;
+ }
+
++/// Add 's' suffix if input is only digits, and convert to lowercase if needed.
++fn duration_unit_normalize(input: &str) -> Cow<'_, str> {
++ if input.bytes().all(|b| b.is_ascii_digit()) {
++ let mut owned = String::with_capacity(input.len() + 1);
++ owned.push_str(input);
++ owned.push('s');
++ return Cow::Owned(owned);
++ }
++
++ if input.bytes().any(|b| b.is_ascii_uppercase()) {
++ Cow::Owned(input.to_ascii_lowercase())
++ } else {
++ Cow::Borrowed(input)
++ }
++}
++
++/// Reads a C string from `input`, parses it, and writes the result to `*res`.
++/// Returns 0 on success (result written to *res), -1 otherwise.
++#[no_mangle]
++pub unsafe extern "C" fn SCParseTimeDuration(input: *const c_char, res: *mut u64) -> i32 {
++ if input.is_null() || res.is_null() {
++ return -1;
++ }
++
++ let input_str = match CStr::from_ptr(input).to_str() {
++ Ok(s) => s,
++ Err(_) => return -1,
++ };
++
++ let trimmed = input_str.trim();
++ if trimmed.is_empty() {
++ return -1;
++ }
++
++ let normalized = duration_unit_normalize(trimmed);
++ match parse_duration(normalized.as_ref()) {
++ Ok(duration) => {
++ *res = duration.as_secs();
++ 0
++ }
++ Err(_) => -1,
++ }
++}
++
+ #[cfg(test)]
+ mod tests {
+
+ use super::*;
++ use std::ffi::CString;
++ use std::ptr::{null, null_mut};
+
+ #[test]
+ fn test_parse_domain() {
+@@ -83,4 +132,73 @@ mod tests {
+ let buf1: &[u8] = "a(x)y.com".as_bytes();
+ assert!(parse_domain(buf1).is_err());
+ }
++
++ #[test]
++ fn test_parse_time_valid() {
++ unsafe {
++ let mut v: u64 = 0;
++
++ let s = CString::new("10").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 10);
++
++ let s = CString::new("0").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 0);
++
++ let s = CString::new("2H").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 7200);
++
++ let s = CString::new("1 day").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 86400);
++
++ let s = CString::new("1w").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 604800);
++
++ let s = CString::new("1 week").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 604800);
++
++ let s = CString::new("1y").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 31557600);
++
++ let s = CString::new("1 year").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, 31557600);
++
++ // max
++ let s = CString::new("18446744073709551615").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), 0);
++ assert_eq!(v, u64::MAX);
++ }
++ }
++
++ #[test]
++ fn test_parse_time_duration_invalid() {
++ unsafe {
++ let mut v: u64 = 0;
++ let s = CString::new("10q").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1);
++
++ let s = CString::new("abc").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1);
++
++ let s = CString::new("-300s").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1);
++
++ let s = CString::new("1h -600s").unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1);
++
++ assert_eq!(SCParseTimeDuration(null(), &mut v), -1);
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), null_mut()), -1);
++
++ let overflow_years = (u64::MAX / 31557600) + 1;
++ let s = CString::new(format!("{}y", overflow_years)).unwrap();
++ assert_eq!(SCParseTimeDuration(s.as_ptr(), &mut v), -1);
++ }
++ }
+ }
+diff --git a/rust/sys/src/sys.rs b/rust/sys/src/sys.rs
+index 3dbd2293e..7be2a12b4 100644
+--- a/rust/sys/src/sys.rs
++++ b/rust/sys/src/sys.rs
+@@ -701,6 +701,11 @@ extern "C" {
+ name: *const ::std::os::raw::c_char, val: *mut f32,
+ ) -> ::std::os::raw::c_int;
+ }
++extern "C" {
++ pub fn SCConfGetTime(
++ name: *const ::std::os::raw::c_char, val: *mut u64,
++ ) -> ::std::os::raw::c_int;
++}
+ extern "C" {
+ pub fn SCConfSet(
+ name: *const ::std::os::raw::c_char, val: *const ::std::os::raw::c_char,
+commit 85f0382072173c226426d4556a9d959ab0a90c34
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Sat Sep 13 23:55:02 2025 +0200
+
+ conf: add time parsing conf function
+
+diff --git a/src/conf.c b/src/conf.c
+index 3be82529d..c81da37b4 100644
+--- a/src/conf.c
++++ b/src/conf.c
+@@ -42,6 +42,7 @@
+ #include "util-debug.h"
+ #include "util-path.h"
+ #include "util-conf.h"
++#include "rust.h"
+
+ /** Maximum size of a complete domain name. */
+ #define NODE_NAME_MAX 1024
+@@ -647,6 +648,36 @@ int SCConfGetFloat(const char *name, float *val)
+ return 1;
+ }
+
++/**
++ * \brief Retrieve a configuration value as a time duration in seconds.
++ *
++ * The configuration value is expected to be a string with a number
++ * followed by an optional time-describing unit (e.g. s, seconds, weeks, years).
++ * If no unit is specified, seconds are assumed.
++ *
++ * \param name Name of configuration parameter to get.
++ * \param val Pointer to an uint64_t that will be set the
++ * configuration value in seconds.
++ *
++ * \retval 1 will be returned if the name is found and was properly
++ * converted to a time duration, otherwise 0 will be returned.
++ */
++int SCConfGetTime(const char *name, uint64_t *val)
++{
++ const char *strval = NULL;
++
++ if (SCConfGet(name, &strval) == 0)
++ return 0;
++
++ if (strval == NULL || strval[0] == '\0')
++ return 0;
++
++ if (SCParseTimeDuration(strval, val) != 0)
++ return 0;
++
++ return 1;
++}
++
+ /**
+ * \brief Remove (and SCFree) the provided configuration node.
+ */
+diff --git a/src/conf.h b/src/conf.h
+index 348138998..0f3a881ac 100644
+--- a/src/conf.h
++++ b/src/conf.h
+@@ -67,6 +67,7 @@ int SCConfGetInt(const char *name, intmax_t *val);
+ int SCConfGetBool(const char *name, int *val);
+ int SCConfGetDouble(const char *name, double *val);
+ int SCConfGetFloat(const char *name, float *val);
++int SCConfGetTime(const char *name, uint64_t *val);
+ int SCConfSet(const char *name, const char *val);
+ int SCConfSetFromString(const char *input, int final);
+ int SCConfSetFinal(const char *name, const char *val);
+commit fd3847db728536f6b345c33542f98a72fc058e8b
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Mon Sep 15 11:36:01 2025 +0200
+
+ path: signal last use of the file (touch)
+
+ To have a system-level overview of when was the last time the file was
+ used, update the file modification timestamp to to the current time.
+
+ This is needed to remove stale cache files of the system.
+
+ Access time is not used as it may be, on the system level, disabled.
+
+ Ticket: 7830
+
+diff --git a/src/util-path.c b/src/util-path.c
+index 356c4a772..cde5a67ff 100644
+--- a/src/util-path.c
++++ b/src/util-path.c
+@@ -277,3 +277,23 @@ bool SCPathContainsTraversal(const char *path)
+ #endif
+ return strstr(path, pattern) != NULL;
+ }
++
++/**
++ * \brief Update access and modification time of an existing file to 'now'.
++ * \param path The file path to touch
++ * \retval 0 on success, -1 on failure
++ */
++int SCTouchFile(const char *path)
++{
++ if (path == NULL || path[0] == '\0') {
++ errno = EINVAL;
++ return -1;
++ }
++#ifndef OS_WIN32
++ struct utimbuf ub;
++ ub.actime = ub.modtime = time(NULL);
++ if (utime(path, &ub) == 0)
++ return 0;
++#endif
++ return -1;
++}
+diff --git a/src/util-path.h b/src/util-path.h
+index b2b262490..e835d847d 100644
+--- a/src/util-path.h
++++ b/src/util-path.h
+@@ -59,5 +59,6 @@ bool SCIsRegularFile(const struct dirent *const dir_entry);
+ char *SCRealPath(const char *path, char *resolved_path);
+ const char *SCBasename(const char *path);
+ bool SCPathContainsTraversal(const char *path);
++int SCTouchFile(const char *path);
+
+ #endif /* SURICATA_UTIL_PATH_H */
+commit 7031c268655aec5c44420902bbda6f7aea8eba33
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Mon Sep 15 11:39:02 2025 +0200
+
+ hs: touch cache files on use to signal activity
+
+ Ticket: 7830
+
+diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c
+index 83bbee59c..41b308171 100644
+--- a/src/util-mpm-hs-cache.c
++++ b/src/util-mpm-hs-cache.c
+@@ -150,6 +150,10 @@ int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char *dirpa
+ }
+
+ ret = 0;
++ /* Touch file to update modification time so active caches are retained. */
++ if (SCTouchFile(hash_file_static) != 0) {
++ SCLogDebug("Failed to update mtime for %s", hash_file_static);
++ }
+ goto freeup;
+ }
+
+commit 08f5abe5e967bbcfbc0c11a797ef86125afd3db8
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Sun Dec 28 00:09:29 2025 +0100
+
+ detect-engine: make mpm & spm part of MT stub ctx
+
+ As a intermediary step for Hyperscan (MPM) caching,
+ the MPM config initialization should be part of the default
+ detect engine context for later dynamic retrieval.
+
+ Ticket: 7830
+
+diff --git a/src/detect-engine.c b/src/detect-engine.c
+index b6d2d4237..12b1683c5 100644
+--- a/src/detect-engine.c
++++ b/src/detect-engine.c
+@@ -2495,6 +2495,20 @@ static DetectEngineCtx *DetectEngineCtxInitReal(
+ de_ctx->filemagic_thread_ctx_id = -1;
+ de_ctx->tenant_id = tenant_id;
+
++ de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
++ de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher();
++
++ if (mpm_table[de_ctx->mpm_matcher].ConfigInit) {
++ de_ctx->mpm_cfg = mpm_table[de_ctx->mpm_matcher].ConfigInit();
++ if (de_ctx->mpm_cfg == NULL) {
++ goto error;
++ }
++ }
++ if (DetectEngineMpmCachingEnabled() && mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) {
++ mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet(
++ de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath());
++ }
++
+ if (type == DETECT_ENGINE_TYPE_DD_STUB || type == DETECT_ENGINE_TYPE_MT_STUB) {
+ de_ctx->version = DetectEngineGetVersion();
+ SCLogDebug("stub %u with version %u", type, de_ctx->version);
+@@ -2511,23 +2525,8 @@ static DetectEngineCtx *DetectEngineCtxInitReal(
+ }
+ de_ctx->failure_fatal = (failure_fatal == 1);
+
+- de_ctx->mpm_matcher = PatternMatchDefaultMatcher();
+- de_ctx->spm_matcher = SinglePatternMatchDefaultMatcher();
+- SCLogConfig("pattern matchers: MPM: %s, SPM: %s",
+- mpm_table[de_ctx->mpm_matcher].name,
+- spm_table[de_ctx->spm_matcher].name);
+-
+- if (mpm_table[de_ctx->mpm_matcher].ConfigInit) {
+- de_ctx->mpm_cfg = mpm_table[de_ctx->mpm_matcher].ConfigInit();
+- if (de_ctx->mpm_cfg == NULL) {
+- goto error;
+- }
+- }
+- if (DetectEngineMpmCachingEnabled() && mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) {
+- mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet(
+- de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath());
+- }
+-
++ SCLogConfig("pattern matchers: MPM: %s, SPM: %s", mpm_table[de_ctx->mpm_matcher].name,
++ spm_table[de_ctx->spm_matcher].name);
+ de_ctx->spm_global_thread_ctx = SpmInitGlobalThreadCtx(de_ctx->spm_matcher);
+ if (de_ctx->spm_global_thread_ctx == NULL) {
+ SCLogDebug("Unable to alloc SpmGlobalThreadCtx.");
+commit 15c83be61ac3f47bf198fe24eb908db5a84b7ccd
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Mon Sep 15 11:24:23 2025 +0200
+
+ hs: prune stale MPM cache files
+
+ Hyperscan MPM can cache the compiled contexts to files.
+ This however grows as rulesets change and leads to bloating
+ the system. This addition prunes the stale cache files based
+ on their modified file timestamp.
+
+ Part of this work incorporates new model for MPM cache stats
+ to split it out from the cache save function and aggregate
+ cache-related stats in one place (newly added pruning).
+
+ Ticket: 7830
+
+diff --git a/doc/userguide/performance/hyperscan.rst b/doc/userguide/performance/hyperscan.rst
+index 065163110..1060d3aef 100644
+--- a/doc/userguide/performance/hyperscan.rst
++++ b/doc/userguide/performance/hyperscan.rst
+@@ -83,6 +83,8 @@ if it is present on the system in case of the "auto" setting.
+ If the current suricata installation does not have hyperscan
+ support, refer to :ref:`installation`
+
++.. _hyperscan-cache-configuration:
++
+ Hyperscan caching
+ ~~~~~~~~~~~~~~~~~
+
+@@ -104,6 +106,24 @@ To enable this function, in `suricata.yaml` configure:
+ sgh-mpm-caching-path: /var/lib/suricata/cache/hs
+
+
++To avoid cache files growing indefinitely, Suricata supports pruning of old
++cache files. Suricata removes cache files older than the specified age
++on startup/rule reloads, where age is determined by delta of the file
++modification time and the current time.
++Cache files that are actively being used will have their modification time
++updated when loaded, so they won't be deleted.
++
++In `suricata.yaml` configure:
++
++::
++
++ detect:
++ sgh-mpm-caching-max-age: 7d
++
++The setting accepts a combination of time units (s,m,h,d,w,y),
++e.g. `1w 3d 12h` for 1 week, 3 days and 12 hours. Setting the value to `0`
++disables pruning.
++
+ **Note**:
+ You might need to create and adjust permissions to the default caching folder
+ path, especially if you are running Suricata as a non-root user.
+diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
+index ef8d1e369..054e3eb38 100644
+--- a/doc/userguide/upgrade.rst
++++ b/doc/userguide/upgrade.rst
+@@ -68,6 +68,10 @@ Other Changes
+ from unbounded to 2048. Configuration options, ``max-tx``,
+ ``max-points``, and ``max-objects`` have been added for users who
+ may need to change these defaults.
++- Hyperscan caching (`detect.sgh-mpm-caching`), when enabled, prunes
++ cache files that have not been used in the last 7 days by default.
++ See :ref:`Hyperscan caching configuration
++ <hyperscan-cache-configuration>` for more information.
+
+ Upgrading to 8.0.1
+ ------------------
+diff --git a/src/detect-engine-loader.c b/src/detect-engine-loader.c
+index ef0e8ef13..a97ebd6d2 100644
+--- a/src/detect-engine-loader.c
++++ b/src/detect-engine-loader.c
+@@ -502,10 +502,6 @@ skip_regular_rules:
+
+ ret = 0;
+
+- if (mpm_table[de_ctx->mpm_matcher].CacheRuleset != NULL) {
+- mpm_table[de_ctx->mpm_matcher].CacheRuleset(de_ctx->mpm_cfg);
+- }
+-
+ end:
+ gettimeofday(&de_ctx->last_reload, NULL);
+ if (SCRunmodeGet() == RUNMODE_ENGINE_ANALYSIS) {
+diff --git a/src/detect-engine.c b/src/detect-engine.c
+index 12b1683c5..28e0bc14a 100644
+--- a/src/detect-engine.c
++++ b/src/detect-engine.c
+@@ -2481,6 +2481,49 @@ const char *DetectEngineMpmCachingGetPath(void)
+ return SGH_CACHE_DIR;
+ }
+
++void DetectEngineMpmCacheService(uint32_t op_flags)
++{
++ DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
++ if (!de_ctx) {
++ return;
++ }
++
++ if (!de_ctx->mpm_cfg || !de_ctx->mpm_cfg->cache_dir_path) {
++ goto error;
++ }
++
++ if (mpm_table[de_ctx->mpm_matcher].CacheStatsInit != NULL) {
++ de_ctx->mpm_cfg->cache_stats = mpm_table[de_ctx->mpm_matcher].CacheStatsInit();
++ if (de_ctx->mpm_cfg->cache_stats == NULL) {
++ goto error;
++ }
++ }
++
++ if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_SAVE) {
++ if (mpm_table[de_ctx->mpm_matcher].CacheRuleset != NULL) {
++ mpm_table[de_ctx->mpm_matcher].CacheRuleset(de_ctx->mpm_cfg);
++ }
++ }
++
++ if (op_flags & DETECT_ENGINE_MPM_CACHE_OP_PRUNE) {
++ if (mpm_table[de_ctx->mpm_matcher].CachePrune != NULL) {
++ mpm_table[de_ctx->mpm_matcher].CachePrune(de_ctx->mpm_cfg);
++ }
++ }
++
++ if (mpm_table[de_ctx->mpm_matcher].CacheStatsPrint != NULL) {
++ mpm_table[de_ctx->mpm_matcher].CacheStatsPrint(de_ctx->mpm_cfg->cache_stats);
++ }
++
++ if (mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit != NULL) {
++ mpm_table[de_ctx->mpm_matcher].CacheStatsDeinit(de_ctx->mpm_cfg->cache_stats);
++ de_ctx->mpm_cfg->cache_stats = NULL;
++ }
++
++error:
++ DetectEngineDeReference(&de_ctx);
++}
++
+ static DetectEngineCtx *DetectEngineCtxInitReal(
+ enum DetectEngineType type, const char *prefix, uint32_t tenant_id)
+ {
+@@ -2503,10 +2546,18 @@ static DetectEngineCtx *DetectEngineCtxInitReal(
+ if (de_ctx->mpm_cfg == NULL) {
+ goto error;
+ }
+- }
+- if (DetectEngineMpmCachingEnabled() && mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) {
+- mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet(
+- de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath());
++
++ if (DetectEngineMpmCachingEnabled() && mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet) {
++ mpm_table[de_ctx->mpm_matcher].ConfigCacheDirSet(
++ de_ctx->mpm_cfg, DetectEngineMpmCachingGetPath());
++
++ if (mpm_table[de_ctx->mpm_matcher].CachePrune) {
++ if (SCConfGetTime("detect.sgh-mpm-caching-max-age",
++ &de_ctx->mpm_cfg->cache_max_age_seconds) != 1) {
++ de_ctx->mpm_cfg->cache_max_age_seconds = 7ULL * 24ULL * 60ULL * 60ULL;
++ }
++ }
++ }
+ }
+
+ if (type == DETECT_ENGINE_TYPE_DD_STUB || type == DETECT_ENGINE_TYPE_MT_STUB) {
+@@ -4885,6 +4936,8 @@ int DetectEngineReload(const SCInstance *suri)
+
+ SCLogDebug("old_de_ctx should have been freed");
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
++
+ SCLogNotice("rule reload complete");
+
+ #ifdef HAVE_MALLOC_TRIM
+diff --git a/src/detect-engine.h b/src/detect-engine.h
+index 2c56475f6..2d45d3253 100644
+--- a/src/detect-engine.h
++++ b/src/detect-engine.h
+@@ -88,6 +88,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **);
+ TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *);
+ bool DetectEngineMpmCachingEnabled(void);
+ const char *DetectEngineMpmCachingGetPath(void);
++void DetectEngineMpmCacheService(uint32_t op_flags);
+ /* faster as a macro than a inline function on my box -- VJ */
+ #define DetectEngineGetMaxSigId(de_ctx) ((de_ctx)->signum)
+ void DetectEngineResetMaxSigId(DetectEngineCtx *);
+diff --git a/src/detect.h b/src/detect.h
+index 62c888e6a..49fbfe3eb 100644
+--- a/src/detect.h
++++ b/src/detect.h
+@@ -1750,6 +1750,9 @@ extern SigTableElmt *sigmatch_table;
+
+ /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
+
++#define DETECT_ENGINE_MPM_CACHE_OP_PRUNE BIT_U32(0)
++#define DETECT_ENGINE_MPM_CACHE_OP_SAVE BIT_U32(1)
++
+ /* detection api */
+ TmEcode Detect(ThreadVars *tv, Packet *p, void *data);
+ uint8_t DetectPreFlow(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p);
+diff --git a/src/runmode-unix-socket.c b/src/runmode-unix-socket.c
+index c2405f057..706a35b7e 100644
+--- a/src/runmode-unix-socket.c
++++ b/src/runmode-unix-socket.c
+@@ -967,6 +967,8 @@ TmEcode UnixSocketRegisterTenantHandler(json_t *cmd, json_t* answer, void *data)
+ return TM_ECODE_FAILED;
+ }
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE);
++
+ json_object_set_new(answer, "message", json_string("handler added"));
+ return TM_ECODE_OK;
+ }
+@@ -1054,6 +1056,8 @@ TmEcode UnixSocketUnregisterTenantHandler(json_t *cmd, json_t* answer, void *dat
+ return TM_ECODE_FAILED;
+ }
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
++
+ json_object_set_new(answer, "message", json_string("handler removed"));
+ return TM_ECODE_OK;
+ }
+@@ -1126,6 +1130,8 @@ TmEcode UnixSocketRegisterTenant(json_t *cmd, json_t* answer, void *data)
+ return TM_ECODE_FAILED;
+ }
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE);
++
+ json_object_set_new(answer, "message", json_string("adding tenant succeeded"));
+ return TM_ECODE_OK;
+ }
+@@ -1193,6 +1199,8 @@ TmEcode UnixSocketReloadTenant(json_t *cmd, json_t* answer, void *data)
+ return TM_ECODE_FAILED;
+ }
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
++
+ json_object_set_new(answer, "message", json_string("reloading tenant succeeded"));
+ return TM_ECODE_OK;
+ }
+@@ -1226,6 +1234,7 @@ TmEcode UnixSocketReloadTenants(json_t *cmd, json_t *answer, void *data)
+ return TM_ECODE_FAILED;
+ }
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_SAVE | DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
+ SCLogNotice("reload-tenants complete");
+
+ json_object_set_new(answer, "message", json_string("reloading tenants succeeded"));
+@@ -1284,6 +1293,8 @@ TmEcode UnixSocketUnregisterTenant(json_t *cmd, json_t* answer, void *data)
+ return TM_ECODE_FAILED;
+ }
+
++ DetectEngineMpmCacheService(DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
++
+ /* walk free list, freeing the removed de_ctx */
+ DetectEnginePruneFreeList();
+
+diff --git a/src/suricata.c b/src/suricata.c
+index c6f94c3ce..a106c56f7 100644
+--- a/src/suricata.c
++++ b/src/suricata.c
+@@ -2688,6 +2688,8 @@ void PostConfLoadedDetectSetup(SCInstance *suri)
+ gettimeofday(&de_ctx->last_reload, NULL);
+ DetectEngineAddToMaster(de_ctx);
+ DetectEngineBumpVersion();
++ DetectEngineMpmCacheService(
++ DETECT_ENGINE_MPM_CACHE_OP_SAVE | DETECT_ENGINE_MPM_CACHE_OP_PRUNE);
+ }
+ }
+
+diff --git a/src/util-mpm-hs-cache.c b/src/util-mpm-hs-cache.c
+index 41b308171..58a2aa6ab 100644
+--- a/src/util-mpm-hs-cache.c
++++ b/src/util-mpm-hs-cache.c
+@@ -37,21 +37,22 @@
+ #include "rust.h"
+ #include <hs.h>
+
+-static const char *HSCacheConstructFPath(const char *folder_path, const char *hs_db_hash)
+-{
+- static char hash_file_path[PATH_MAX];
++#define HS_CACHE_FILE_VERSION "2"
++#define HS_CACHE_FILE_SUFFIX "_v" HS_CACHE_FILE_VERSION ".hs"
+
+- char hash_file_path_suffix[] = "_v1.hs";
++static int16_t HSCacheConstructFPath(
++ const char *dir_path, const char *db_hash, char *out_path, uint16_t out_path_size)
++{
+ char filename[NAME_MAX];
+- uint64_t r = snprintf(filename, sizeof(filename), "%s%s", hs_db_hash, hash_file_path_suffix);
+- if (r != (uint64_t)(strlen(hs_db_hash) + strlen(hash_file_path_suffix)))
+- return NULL;
++ uint64_t r = snprintf(filename, sizeof(filename), "%s" HS_CACHE_FILE_SUFFIX, db_hash);
++ if (r != (uint64_t)(strlen(db_hash) + strlen(HS_CACHE_FILE_SUFFIX)))
++ return -1;
+
+- r = PathMerge(hash_file_path, sizeof(hash_file_path), folder_path, filename);
++ r = PathMerge(out_path, out_path_size, dir_path, filename);
+ if (r)
+- return NULL;
++ return -1;
+
+- return hash_file_path;
++ return 0;
+ }
+
+ static char *HSReadStream(const char *file_path, size_t *buffer_sz)
+@@ -121,8 +122,11 @@ static void SCHSCachePatternHash(const SCHSPattern *p, SCSha256 *sha256)
+
+ int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char *dirpath)
+ {
+- const char *hash_file_static = HSCacheConstructFPath(dirpath, hs_db_hash);
+- if (hash_file_static == NULL)
++ char hash_file_static[PATH_MAX];
++ int ret = (int)HSCacheConstructFPath(
++ dirpath, hs_db_hash, hash_file_static, sizeof(hash_file_static));
++
++ if (ret != 0)
+ return -1;
+
+ SCLogDebug("Loading the cached HS DB from %s", hash_file_static);
+@@ -131,7 +135,6 @@ int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char *dirpa
+
+ FILE *db_cache = fopen(hash_file_static, "r");
+ char *buffer = NULL;
+- int ret = 0;
+ if (db_cache) {
+ size_t buffer_size;
+ buffer = HSReadStream(hash_file_static, &buffer_size);
+@@ -170,15 +173,20 @@ static int HSSaveCache(hs_database_t *hs_db, const char *hs_db_hash, const char
+ static bool notified = false;
+ char *db_stream = NULL;
+ size_t db_size;
+- int ret = -1;
++ int ret;
+
+ hs_error_t err = hs_serialize_database(hs_db, &db_stream, &db_size);
+ if (err != HS_SUCCESS) {
+ SCLogWarning("Failed to serialize Hyperscan database: %s", HSErrorToStr(err));
++ ret = -1;
+ goto cleanup;
+ }
+
+- const char *hash_file_static = HSCacheConstructFPath(dstpath, hs_db_hash);
++ char hash_file_static[PATH_MAX];
++ ret = (int)HSCacheConstructFPath(
++ dstpath, hs_db_hash, hash_file_static, sizeof(hash_file_static));
++ if (ret != 0)
++ goto cleanup;
+ SCLogDebug("Caching the compiled HS at %s", hash_file_static);
+ if (SCPathExists(hash_file_static)) {
+ // potentially signs that it might not work as expected as we got into
+@@ -198,6 +206,7 @@ static int HSSaveCache(hs_database_t *hs_db, const char *hs_db_hash, const char
+ hash_file_static);
+ notified = true;
+ }
++ ret = -1;
+ goto cleanup;
+ }
+ size_t r = fwrite(db_stream, sizeof(db_stream[0]), db_size, db_cache_out);
+@@ -217,7 +226,6 @@ static int HSSaveCache(hs_database_t *hs_db, const char *hs_db_hash, const char
+ goto cleanup;
+ }
+
+- ret = 0;
+ cleanup:
+ if (db_stream)
+ SCFree(db_stream);
+@@ -270,4 +278,187 @@ void HSSaveCacheIterator(void *data, void *aux)
+ }
+ }
+
++void HSCacheFilenameUsedIterator(void *data, void *aux)
++{
++ PatternDatabase *pd = (PatternDatabase *)data;
++ struct HsInUseCacheFilesIteratorData *iter_data = (struct HsInUseCacheFilesIteratorData *)aux;
++ if (pd->no_cache || !pd->cached)
++ return;
++
++ char hs_db_hash[SC_SHA256_LEN * 2 + 1]; // * 2 for hex +1 for nul terminator
++ if (HSHashDb(pd, hs_db_hash, ARRAY_SIZE(hs_db_hash)) != 0) {
++ return;
++ }
++
++ char *fpath = SCCalloc(PATH_MAX, sizeof(char));
++ if (fpath == NULL) {
++ SCLogWarning("Failed to allocate memory for cache file path");
++ return;
++ }
++ if (HSCacheConstructFPath(iter_data->cache_path, hs_db_hash, fpath, PATH_MAX)) {
++ SCFree(fpath);
++ return;
++ }
++
++ int r = HashTableAdd(iter_data->tbl, (void *)fpath, (uint16_t)strlen(fpath));
++ if (r < 0) {
++ SCLogWarning("Failed to add used cache file path %s to hash table", fpath);
++ SCFree(fpath);
++ }
++}
++
++/**
++ * \brief Check if HS cache file is stale by age.
++ *
++ * \param mtime File modification time.
++ * \param cutoff Time cutoff (files older than this will be removed).
++ *
++ * \retval true if file should be pruned, false otherwise.
++ */
++static bool HSPruneFileByAge(time_t mtime, time_t cutoff)
++{
++ return mtime < cutoff;
++}
++
++/**
++ * \brief Check if HS cache file is version-compatible.
++ *
++ * \param filename Cache file name.
++ *
++ * \retval true if file should be pruned, false otherwise.
++ */
++static bool HSPruneFileByVersion(const char *filename)
++{
++ if (strlen(filename) < strlen(HS_CACHE_FILE_SUFFIX)) {
++ return true;
++ }
++
++ const char *underscore = strrchr(filename, '_');
++ if (underscore == NULL || strcmp(underscore, HS_CACHE_FILE_SUFFIX) != 0) {
++ return true;
++ }
++
++ return false;
++}
++
++int SCHSCachePruneEvaluate(MpmConfig *mpm_conf, HashTable *inuse_caches)
++{
++ if (mpm_conf == NULL || mpm_conf->cache_dir_path == NULL)
++ return -1;
++ if (mpm_conf->cache_max_age_seconds == 0)
++ return 0; // disabled
++
++ const time_t now = time(NULL);
++ if (now == (time_t)-1) {
++ return -1;
++ } else if (mpm_conf->cache_max_age_seconds >= (uint64_t)now) {
++ return 0;
++ }
++
++ DIR *dir = opendir(mpm_conf->cache_dir_path);
++ if (dir == NULL) {
++ return -1;
++ }
++
++ struct dirent *ent;
++ char path[PATH_MAX];
++ uint32_t considered = 0, removed = 0;
++ const time_t cutoff = now - (time_t)mpm_conf->cache_max_age_seconds;
++ while ((ent = readdir(dir)) != NULL) {
++ const char *name = ent->d_name;
++ size_t namelen = strlen(name);
++ if (namelen < 3 || strcmp(name + namelen - 3, ".hs") != 0)
++ continue;
++
++ if (PathMerge(path, ARRAY_SIZE(path), mpm_conf->cache_dir_path, name) != 0)
++ continue;
++
++ struct stat st;
++ if (stat(path, &st) != 0 || !S_ISREG(st.st_mode))
++ continue;
++
++ considered++;
++
++ const bool prune_by_age = HSPruneFileByAge(st.st_mtime, cutoff);
++ const bool prune_by_version = HSPruneFileByVersion(name);
++ if (!prune_by_age && !prune_by_version)
++ continue;
++
++ void *cache_inuse = HashTableLookup(inuse_caches, path, (uint16_t)strlen(path));
++ if (cache_inuse != NULL)
++ continue; // in use
++
++ if (unlink(path) == 0) {
++ removed++;
++ SCLogDebug("File %s removed because of %s%s%s", path, prune_by_age ? "age" : "",
++ prune_by_age && prune_by_version ? " and " : "",
++ prune_by_version ? "incompatible version" : "");
++ } else {
++ SCLogWarning("Failed to prune \"%s\": %s", path, strerror(errno));
++ }
++ }
++ closedir(dir);
++
++ PatternDatabaseCache *pd_cache_stats = mpm_conf->cache_stats;
++ if (pd_cache_stats) {
++ pd_cache_stats->hs_dbs_cache_pruned_cnt = removed;
++ pd_cache_stats->hs_dbs_cache_pruned_considered_cnt = considered;
++ pd_cache_stats->hs_dbs_cache_pruned_cutoff = cutoff;
++ pd_cache_stats->cache_max_age_seconds = mpm_conf->cache_max_age_seconds;
++ }
++ return 0;
++}
++
++void *SCHSCacheStatsInit(void)
++{
++ PatternDatabaseCache *pd_cache_stats = SCCalloc(1, sizeof(PatternDatabaseCache));
++ if (pd_cache_stats == NULL) {
++ SCLogError("Failed to allocate memory for Hyperscan cache stats");
++ return NULL;
++ }
++ return pd_cache_stats;
++}
++
++void SCHSCacheStatsPrint(void *data)
++{
++ if (data == NULL) {
++ return;
++ }
++
++ PatternDatabaseCache *pd_cache_stats = (PatternDatabaseCache *)data;
++
++ char time_str[64];
++ struct tm tm_s;
++ struct tm *tm_info = SCLocalTime(pd_cache_stats->hs_dbs_cache_pruned_cutoff, &tm_s);
++ if (tm_info != NULL) {
++ strftime(time_str, ARRAY_SIZE(time_str), "%Y-%m-%d %H:%M:%S", tm_info);
++ } else {
++ snprintf(time_str, ARRAY_SIZE(time_str), "%" PRIu64 " seconds",
++ pd_cache_stats->cache_max_age_seconds);
++ }
++
++ if (pd_cache_stats->hs_cacheable_dbs_cnt) {
++ SCLogInfo("Rule group caching - loaded: %u newly cached: %u total cacheable: %u",
++ pd_cache_stats->hs_dbs_cache_loaded_cnt, pd_cache_stats->hs_dbs_cache_saved_cnt,
++ pd_cache_stats->hs_cacheable_dbs_cnt);
++ }
++ if (pd_cache_stats->hs_dbs_cache_pruned_considered_cnt) {
++ SCLogInfo("Rule group cache pruning removed %u/%u of HS caches due to "
++ "version-incompatibility (not v%s) or "
++ "age (older than %s)",
++ pd_cache_stats->hs_dbs_cache_pruned_cnt,
++ pd_cache_stats->hs_dbs_cache_pruned_considered_cnt, HS_CACHE_FILE_VERSION,
++ time_str);
++ }
++}
++
++void SCHSCacheStatsDeinit(void *data)
++{
++ if (data == NULL) {
++ return;
++ }
++ PatternDatabaseCache *pd_cache_stats = (PatternDatabaseCache *)data;
++ SCFree(pd_cache_stats);
++}
++
+ #endif /* BUILD_HYPERSCAN */
+diff --git a/src/util-mpm-hs-cache.h b/src/util-mpm-hs-cache.h
+index 225c5001a..24b4eece0 100644
+--- a/src/util-mpm-hs-cache.h
++++ b/src/util-mpm-hs-cache.h
+@@ -35,9 +35,24 @@ struct HsIteratorData {
+ const char *cache_path;
+ };
+
++/**
++ * \brief Data structure to store in-use cache files.
++ * Used in cache pruning to avoid deleting files that are still in use.
++ */
++struct HsInUseCacheFilesIteratorData {
++ HashTable *tbl; // stores file paths of in-use cache files
++ const char *cache_path;
++};
++
+ int HSLoadCache(hs_database_t **hs_db, const char *hs_db_hash, const char *dirpath);
+ int HSHashDb(const PatternDatabase *pd, char *hash, size_t hash_len);
+ void HSSaveCacheIterator(void *data, void *aux);
++void HSCacheFilenameUsedIterator(void *data, void *aux);
++int SCHSCachePruneEvaluate(MpmConfig *mpm_conf, HashTable *inuse_caches);
++
++void *SCHSCacheStatsInit(void);
++void SCHSCacheStatsPrint(void *data);
++void SCHSCacheStatsDeinit(void *data);
+ #endif /* BUILD_HYPERSCAN */
+
+ #endif /* SURICATA_UTIL_MPM_HS_CACHE__H */
+diff --git a/src/util-mpm-hs-core.h b/src/util-mpm-hs-core.h
+index 699dd6956..8392127cf 100644
+--- a/src/util-mpm-hs-core.h
++++ b/src/util-mpm-hs-core.h
+@@ -93,6 +93,10 @@ typedef struct PatternDatabaseCache_ {
+ uint32_t hs_cacheable_dbs_cnt;
+ uint32_t hs_dbs_cache_loaded_cnt;
+ uint32_t hs_dbs_cache_saved_cnt;
++ uint32_t hs_dbs_cache_pruned_cnt;
++ uint32_t hs_dbs_cache_pruned_considered_cnt;
++ time_t hs_dbs_cache_pruned_cutoff;
++ uint64_t cache_max_age_seconds;
+ } PatternDatabaseCache;
+
+ const char *HSErrorToStr(hs_error_t error_code);
+diff --git a/src/util-mpm-hs.c b/src/util-mpm-hs.c
+index ad7178eb8..df4a66b2e 100644
+--- a/src/util-mpm-hs.c
++++ b/src/util-mpm-hs.c
+@@ -835,18 +835,53 @@ static int SCHSCacheRuleset(MpmConfig *mpm_conf)
+ mpm_conf->cache_dir_path);
+ return -1;
+ }
+- PatternDatabaseCache pd_stats = { 0 };
+- struct HsIteratorData iter_data = { .pd_stats = &pd_stats,
++ PatternDatabaseCache *pd_stats = mpm_conf->cache_stats;
++ struct HsIteratorData iter_data = { .pd_stats = pd_stats,
+ .cache_path = mpm_conf->cache_dir_path };
+ SCMutexLock(&g_db_table_mutex);
+ HashTableIterate(g_db_table, HSSaveCacheIterator, &iter_data);
+ SCMutexUnlock(&g_db_table_mutex);
+- SCLogNotice("Rule group caching - loaded: %u newly cached: %u total cacheable: %u",
+- pd_stats.hs_dbs_cache_loaded_cnt, pd_stats.hs_dbs_cache_saved_cnt,
+- pd_stats.hs_cacheable_dbs_cnt);
+ return 0;
+ }
+
++static uint32_t FilenameTableHash(HashTable *ht, void *data, uint16_t len)
++{
++ const char *fname = data;
++ uint32_t hash = hashlittle_safe(data, strlen(fname), 0);
++ hash %= ht->array_size;
++ return hash;
++}
++
++static void FilenameTableFree(void *data)
++{
++ SCFree(data);
++}
++
++static int SCHSCachePrune(MpmConfig *mpm_conf)
++{
++ if (!mpm_conf || !mpm_conf->cache_dir_path) {
++ return -1;
++ }
++
++ SCLogDebug("Pruning the Hyperscan cache folder %s", mpm_conf->cache_dir_path);
++ // we need to initialize hash map of in-use cache files
++ HashTable *inuse_caches =
++ HashTableInit(INIT_DB_HASH_SIZE, FilenameTableHash, NULL, FilenameTableFree);
++ if (inuse_caches == NULL) {
++ return -1;
++ }
++ struct HsInUseCacheFilesIteratorData iter_data = { .tbl = inuse_caches,
++ .cache_path = mpm_conf->cache_dir_path };
++
++ SCMutexLock(&g_db_table_mutex);
++ HashTableIterate(g_db_table, HSCacheFilenameUsedIterator, &iter_data);
++ SCMutexUnlock(&g_db_table_mutex);
++
++ int r = SCHSCachePruneEvaluate(mpm_conf, inuse_caches);
++ HashTableFree(inuse_caches);
++ return r;
++}
++
+ /**
+ * \brief Init the mpm thread context.
+ *
+@@ -1178,7 +1213,11 @@ void MpmHSRegister(void)
+ mpm_table[MPM_HS].AddPattern = SCHSAddPatternCS;
+ mpm_table[MPM_HS].AddPatternNocase = SCHSAddPatternCI;
+ mpm_table[MPM_HS].Prepare = SCHSPreparePatterns;
++ mpm_table[MPM_HS].CacheStatsInit = SCHSCacheStatsInit;
++ mpm_table[MPM_HS].CacheStatsPrint = SCHSCacheStatsPrint;
++ mpm_table[MPM_HS].CacheStatsDeinit = SCHSCacheStatsDeinit;
+ mpm_table[MPM_HS].CacheRuleset = SCHSCacheRuleset;
++ mpm_table[MPM_HS].CachePrune = SCHSCachePrune;
+ mpm_table[MPM_HS].Search = SCHSSearch;
+ mpm_table[MPM_HS].PrintCtx = SCHSPrintInfo;
+ mpm_table[MPM_HS].PrintThreadCtx = SCHSPrintSearchStats;
+diff --git a/src/util-mpm.h b/src/util-mpm.h
+index c2c434152..859ceae12 100644
+--- a/src/util-mpm.h
++++ b/src/util-mpm.h
+@@ -90,6 +90,8 @@ typedef struct MpmPattern_ {
+
+ typedef struct MpmConfig_ {
+ const char *cache_dir_path;
++ uint64_t cache_max_age_seconds; /* 0 means disabled/no pruning policy */
++ void *cache_stats;
+ } MpmConfig;
+
+ typedef struct MpmCtx_ {
+@@ -175,7 +177,11 @@ typedef struct MpmTableElmt_ {
+ int (*AddPatternNocase)(struct MpmCtx_ *, const uint8_t *, uint16_t, uint16_t, uint16_t,
+ uint32_t, SigIntId, uint8_t);
+ int (*Prepare)(MpmConfig *, struct MpmCtx_ *);
++ void *(*CacheStatsInit)(void);
++ void (*CacheStatsPrint)(void *data);
++ void (*CacheStatsDeinit)(void *data);
+ int (*CacheRuleset)(MpmConfig *);
++ int (*CachePrune)(MpmConfig *);
+ /** \retval cnt number of patterns that matches: once per pattern max. */
+ uint32_t (*Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t);
+ void (*PrintCtx)(struct MpmCtx_ *);
+diff --git a/suricata.yaml.in b/suricata.yaml.in
+index a0ab5a066..d7ce7c2cc 100644
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -1810,6 +1810,10 @@ detect:
+ # Cache files are created in the standard library directory.
+ sgh-mpm-caching: yes
+ sgh-mpm-caching-path: @e_sghcachedir@
++ # Maximum age for cached MPM databases before they are pruned.
++ # Accepts a combination of time units (s,m,h,d,w,y).
++ # Omit to use the default, 0 to disable.
++ # sgh-mpm-caching-max-age: 7d
+ # inspection-recursion-limit: 3000
+ # maximum number of times a tx will get logged for rules without app-layer keywords
+ # stream-tx-log-limit: 4
+commit 56c1552c3e8425ca07ce3b6ba88f2215b984c5fb
+Author: Lukas Sismis <lsismis@oisf.net>
+Date: Mon Nov 3 19:47:16 2025 +0100
+
+ hs: warn about the same cache directory
+
+ This is especially relevant for multi-instance simultaneous setups
+ as we might risk read/write races.
+
+diff --git a/doc/userguide/performance/hyperscan.rst b/doc/userguide/performance/hyperscan.rst
+index 1060d3aef..a64322730 100644
+--- a/doc/userguide/performance/hyperscan.rst
++++ b/doc/userguide/performance/hyperscan.rst
+@@ -127,3 +127,7 @@ disables pruning.
+ **Note**:
+ You might need to create and adjust permissions to the default caching folder
+ path, especially if you are running Suricata as a non-root user.
++
++**Note**:
++If you're running multiple Suricata instances, use separate cache folders
++for each one to avoid read/write conflicts when they run at the same time.
--
2.47.3
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 2/3] rust: Update to 1.92.0
2026-01-23 5:26 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Stefan Schantl
2026-01-23 5:26 ` [PATCH 1/3] suricata: Add upstream patch to purge sgh-mpm-caches Stefan Schantl
@ 2026-01-23 5:26 ` Stefan Schantl
2026-01-23 10:09 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Michael Tremer
2 siblings, 0 replies; 17+ messages in thread
From: Stefan Schantl @ 2026-01-23 5:26 UTC (permalink / raw)
To: development; +Cc: Stefan Schantl
This is an update to the latest stable release of rust
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/rootfiles/common/aarch64/rust | 130 +++++++++++++--------------
config/rootfiles/common/riscv64/rust | 109 +++++++++++-----------
config/rootfiles/common/x86_64/rust | 82 ++++++++++-------
lfs/rust | 13 ++-
4 files changed, 173 insertions(+), 161 deletions(-)
diff --git a/config/rootfiles/common/aarch64/rust b/config/rootfiles/common/aarch64/rust
index 19055ac28..71b7ce9a2 100644
--- a/config/rootfiles/common/aarch64/rust
+++ b/config/rootfiles/common/aarch64/rust
@@ -6,70 +6,11 @@
#usr/bin/rustdoc
#usr/etc/bash_completion.d
#usr/etc/bash_completion.d/cargo
-#usr/lib/libdarling_macro-48c60ba578c36a18.so
-#usr/lib/libderive_setters-bdfbec951c0a0cf1.so
-#usr/lib/libderive_where-1280fdedb928b2b9.so
-#usr/lib/libdisplaydoc-2a39d0af4ba451ec.so
-#usr/lib/libicu_provider_macros-2355031845105802.so
-#usr/lib/libproc_macro_hack-2fb61d9ea1b51e16.so
-#usr/lib/librustc_driver-c048d41570338542.so
-#usr/lib/librustc_fluent_macro-5d08f2449a8d1a39.so
-#usr/lib/librustc_index_macros-3616864e0878239b.so
-#usr/lib/librustc_macros-9af36f6a1d64f82e.so
-#usr/lib/librustc_type_ir_macros-965f2d2a9475d718.so
-#usr/lib/libserde_derive-6a6f9b18169a12f0.so
-#usr/lib/libthiserror_impl-02bd7f8a09469611.so
-#usr/lib/libtime_macros-e83d7ae85f0f72f4.so
-#usr/lib/libtracing_attributes-c49d2f63065f963b.so
-#usr/lib/libunic_langid_macros_impl-0bbf2066776f4784.so
-#usr/lib/libyoke_derive-3668e5798b12e026.so
-#usr/lib/libzerocopy_derive-75eaa3aa75782f35.so
-#usr/lib/libzerofrom_derive-0f9693bcd0f4a45b.so
-#usr/lib/libzerovec_derive-302e6c91f5b923b1.so
+#usr/etc/target-spec-json-schema.json
+#usr/lib/libLLVM-21-rust-1.92.0-stable.so
+#usr/lib/libLLVM.so.21.1-rust-1.92.0-stable
+#usr/lib/librustc_driver-d31eb41759495bb2.so
#usr/lib/rustlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/ld.lld
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/ld64.lld
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/lld-link
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/wasm-ld
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/rust-objcopy
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/wasm-component-ld
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libaddr2line-b5c2000e0cd7e2da.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libadler-7522a3b17c9865c1.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/liballoc-dd37cd35aaa8bbc1.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcfg_if-d85d8ca815fd8ede.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcompiler_builtins-28e5089f2b5f6c14.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcore-f87f661789447f5d.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libgetopts-0d2560c9c04f523e.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libgimli-260b0ae067fcbc74.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libhashbrown-f81554601df81dba.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/liblibc-a407511d16763038.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libmemchr-49c225520932793c.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libminiz_oxide-904261fe6c2793b4.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libobject-1238c66087ccc721.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libpanic_abort-a663c8e263fd76c3.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libpanic_unwind-8015a5c851b5d89f.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libproc_macro-13fc50646028bfe3.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libprofiler_builtins-17fa3f5dd5b39bf9.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.asan.a
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.hwasan.a
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.lsan.a
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.msan.a
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.tsan.a
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_demangle-bdd5e3a96276e325.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_std_workspace_alloc-1ef59f0a1b872e31.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_std_workspace_core-e352fdf6f38ada21.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_std_workspace_std-05a98bc8a268f144.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-55e662df679d038f.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-55e662df679d038f.so
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd_detect-0b86b09b624ecd98.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libsysroot-61b860b8000a8886.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libtest-603b1bafd4f145b9.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libunicode_width-691e5c3921b9b49f.rlib
-#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libunwind-1146c5c38405ef5e.rlib
#usr/lib/rustlib/components
#usr/lib/rustlib/etc
#usr/lib/rustlib/etc/gdb_load_rust_pretty_printers.py
@@ -85,6 +26,51 @@
#usr/lib/rustlib/manifest-rustc
#usr/lib/rustlib/rust-installer-version
#usr/lib/rustlib/uninstall.sh
+#usr/lib/rustlib/aarch64-unknown-linux-gnu
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/ld.lld
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/ld64.lld
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/lld-link
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/gcc-ld/wasm-ld
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/rust-lld
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/rust-objcopy
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/bin/wasm-component-ld
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libaddr2line-11d54e777384a9e5.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libadler2-1e0b0d62df36c85c.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/liballoc-06039bcfba61f665.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcfg_if-6a40188dd7d989d2.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcompiler_builtins-3e2e950d4bac10b5.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libcore-5080178c80bf7a93.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libgetopts-c8814943458d63c4.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libgimli-35018e994bad7042.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libhashbrown-2ed6a8f06fc51a9d.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/liblibc-d25e598578fbf080.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libmemchr-09f2ab7e0d97e07a.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libminiz_oxide-5312b588e5cfab93.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libobject-2dc10b344e05b569.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libpanic_abort-e2ab0eec3e5fd91a.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libpanic_unwind-932f22f820d1e5ec.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libproc_macro-f8e79ba97b69012b.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libprofiler_builtins-5fea4b1d5095fe92.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.asan.a
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.dfsan.a
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.lsan.a
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.msan.a
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.safestack.a
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc-stable_rt.tsan.a
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_demangle-43b2ff22c18e1125.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_literal_escaper-54d515d7e0ffe0c6.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_std_workspace_alloc-05b02707a5b2a256.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_std_workspace_core-327ea4f353b4eb8c.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/librustc_std_workspace_std-c7bda3ac2a6b49f7.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-225863f279df55c4.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd-225863f279df55c4.so
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libstd_detect-5978f0713dd5442d.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libsysroot-85bdb6374f3e9283.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libtest-6c04d4913014a9fc.rlib
+#usr/lib/rustlib/aarch64-unknown-linux-gnu/lib/libunwind-94fdfaf0af91a65d.rlib
#usr/libexec/rust-analyzer-proc-macro-srv
#usr/share/cargo
#usr/share/cargo/registry
@@ -94,10 +80,22 @@
#usr/share/doc/cargo/LICENSE-THIRD-PARTY
#usr/share/doc/cargo/README.md
#usr/share/doc/rust
-#usr/share/doc/rust/COPYRIGHT
-#usr/share/doc/rust/LICENSE-APACHE
-#usr/share/doc/rust/LICENSE-MIT
+#usr/share/doc/rust/COPYRIGHT-library.html
+#usr/share/doc/rust/COPYRIGHT.html
#usr/share/doc/rust/README.md
+#usr/share/doc/rust/licenses
+#usr/share/doc/rust/licenses/Apache-2.0.txt
+#usr/share/doc/rust/licenses/BSD-2-Clause.txt
+#usr/share/doc/rust/licenses/CC-BY-SA-4.0.txt
+#usr/share/doc/rust/licenses/GCC-exception-3.1.txt
+#usr/share/doc/rust/licenses/GPL-2.0-only.txt
+#usr/share/doc/rust/licenses/GPL-3.0-or-later.txt
+#usr/share/doc/rust/licenses/ISC.txt
+#usr/share/doc/rust/licenses/LLVM-exception.txt
+#usr/share/doc/rust/licenses/MIT.txt
+#usr/share/doc/rust/licenses/NCSA.txt
+#usr/share/doc/rust/licenses/OFL-1.1.txt
+#usr/share/doc/rust/licenses/Unicode-3.0.txt
#usr/share/man/man1/cargo-add.1
#usr/share/man/man1/cargo-bench.1
#usr/share/man/man1/cargo-build.1
diff --git a/config/rootfiles/common/riscv64/rust b/config/rootfiles/common/riscv64/rust
index fd106892d..96e813076 100644
--- a/config/rootfiles/common/riscv64/rust
+++ b/config/rootfiles/common/riscv64/rust
@@ -6,26 +6,10 @@
#usr/bin/rustdoc
#usr/etc/bash_completion.d
#usr/etc/bash_completion.d/cargo
-#usr/lib/libdarling_macro-333094c091df4015.so
-#usr/lib/libderive_setters-eb9d17375f0d2024.so
-#usr/lib/libderive_where-a4ceb656b618c723.so
-#usr/lib/libdisplaydoc-6ab65588c4fed8b6.so
-#usr/lib/libicu_provider_macros-c1885a81c3aaa649.so
-#usr/lib/libproc_macro_hack-e8d8a46285916400.so
-#usr/lib/librustc_driver-308f082c9fea1d1b.so
-#usr/lib/librustc_fluent_macro-556889dcb410e6da.so
-#usr/lib/librustc_index_macros-4b06439ae4c576d8.so
-#usr/lib/librustc_macros-0c8828fa6210aaec.so
-#usr/lib/librustc_type_ir_macros-0b05e66771d07295.so
-#usr/lib/libserde_derive-70778b02209d2ff5.so
-#usr/lib/libthiserror_impl-35548549b7872eab.so
-#usr/lib/libtime_macros-ef6b176b1d947a33.so
-#usr/lib/libtracing_attributes-85c7e1ea105764f4.so
-#usr/lib/libunic_langid_macros_impl-b2f246a72e268ad0.so
-#usr/lib/libyoke_derive-701ee0d81fd6e1e2.so
-#usr/lib/libzerocopy_derive-e95fa47f5d0db252.so
-#usr/lib/libzerofrom_derive-42ab18fae7d19f9a.so
-#usr/lib/libzerovec_derive-8fa84d155226655f.so
+#usr/etc/target-spec-json-schema.json
+#usr/lib/libLLVM-21-rust-1.92.0-stable.so
+#usr/lib/libLLVM.so.21.1-rust-1.92.0-stable
+#usr/lib/librustc_driver-d31eb41759495bb2.so
#usr/lib/rustlib
#usr/lib/rustlib/components
#usr/lib/rustlib/etc
@@ -40,6 +24,8 @@
#usr/lib/rustlib/manifest-cargo
#usr/lib/rustlib/manifest-rust-std-riscv64gc-unknown-linux-gnu
#usr/lib/rustlib/manifest-rustc
+#usr/lib/rustlib/rust-installer-version
+#usr/lib/rustlib/uninstall.sh
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/gcc-ld
@@ -47,39 +33,44 @@
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/gcc-ld/ld64.lld
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/gcc-ld/lld-link
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/gcc-ld/wasm-ld
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/rust-lld
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/rust-objcopy
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/bin/wasm-component-ld
#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libaddr2line-65de847b01fb13aa.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libadler-f6150e2c8c7520a2.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/liballoc-65012f886c45ba83.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libcfg_if-47b2ac880739af72.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libcompiler_builtins-dcaac2e374baa989.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libcore-e62f8d07515ae7ba.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libgetopts-3510c6a7a63b709c.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libgimli-94dceb6179529152.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libhashbrown-4a3b141370a80fcc.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/liblibc-e30ed58f641c8fef.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libmemchr-108d2e39dad4e231.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libminiz_oxide-809679d650a1462c.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libobject-3d904933cc45ac22.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libpanic_abort-a7dfdf989f233c89.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libpanic_unwind-432a51b442d90b95.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libproc_macro-cd166f2f689a98b2.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libprofiler_builtins-67327994d1b4bdc1.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_demangle-6087e86748847731.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_std_workspace_alloc-45dd03eb45d52454.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_std_workspace_core-fc703f796971554d.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_std_workspace_std-ebf8396a16eebb78.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libstd-8231cf027982a9e9.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libstd-8231cf027982a9e9.so
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libstd_detect-045721e0e8276e21.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libsysroot-3abe192d8d8fd99f.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libtest-11bd44812334fefb.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libunicode_width-5ad33c2ccb05df6c.rlib
-#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libunwind-aaaa2315ee122353.rlib
-#usr/lib/rustlib/rust-installer-version
-#usr/lib/rustlib/uninstall.sh
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libaddr2line-11d54e777384a9e5.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libadler2-1e0b0d62df36c85c.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/liballoc-06039bcfba61f665.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libcfg_if-6a40188dd7d989d2.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libcompiler_builtins-3e2e950d4bac10b5.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libcore-5080178c80bf7a93.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libgetopts-c8814943458d63c4.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libgimli-35018e994bad7042.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libhashbrown-2ed6a8f06fc51a9d.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/liblibc-d25e598578fbf080.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libmemchr-09f2ab7e0d97e07a.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libminiz_oxide-5312b588e5cfab93.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libobject-2dc10b344e05b569.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libpanic_abort-e2ab0eec3e5fd91a.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libpanic_unwind-932f22f820d1e5ec.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libproc_macro-f8e79ba97b69012b.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libprofiler_builtins-5fea4b1d5095fe92.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc-stable_rt.asan.a
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc-stable_rt.dfsan.a
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc-stable_rt.lsan.a
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc-stable_rt.msan.a
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc-stable_rt.safestack.a
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc-stable_rt.tsan.a
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_demangle-43b2ff22c18e1125.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_literal_escaper-54d515d7e0ffe0c6.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_std_workspace_alloc-05b02707a5b2a256.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_std_workspace_core-327ea4f353b4eb8c.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/librustc_std_workspace_std-c7bda3ac2a6b49f7.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libstd-225863f279df55c4.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libstd-225863f279df55c4.so
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libstd_detect-5978f0713dd5442d.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libsysroot-85bdb6374f3e9283.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libtest-6c04d4913014a9fc.rlib
+#usr/lib/rustlib/riscv64gc-unknown-linux-gnu/lib/libunwind-94fdfaf0af91a65d.rlib
#usr/libexec/rust-analyzer-proc-macro-srv
#usr/share/cargo
#usr/share/cargo/registry
@@ -89,10 +80,22 @@
#usr/share/doc/cargo/LICENSE-THIRD-PARTY
#usr/share/doc/cargo/README.md
#usr/share/doc/rust
-#usr/share/doc/rust/COPYRIGHT
-#usr/share/doc/rust/LICENSE-APACHE
-#usr/share/doc/rust/LICENSE-MIT
+#usr/share/doc/rust/COPYRIGHT-library.html
+#usr/share/doc/rust/COPYRIGHT.html
#usr/share/doc/rust/README.md
+#usr/share/doc/rust/licenses
+#usr/share/doc/rust/licenses/Apache-2.0.txt
+#usr/share/doc/rust/licenses/BSD-2-Clause.txt
+#usr/share/doc/rust/licenses/CC-BY-SA-4.0.txt
+#usr/share/doc/rust/licenses/GCC-exception-3.1.txt
+#usr/share/doc/rust/licenses/GPL-2.0-only.txt
+#usr/share/doc/rust/licenses/GPL-3.0-or-later.txt
+#usr/share/doc/rust/licenses/ISC.txt
+#usr/share/doc/rust/licenses/LLVM-exception.txt
+#usr/share/doc/rust/licenses/MIT.txt
+#usr/share/doc/rust/licenses/NCSA.txt
+#usr/share/doc/rust/licenses/OFL-1.1.txt
+#usr/share/doc/rust/licenses/Unicode-3.0.txt
#usr/share/man/man1/cargo-add.1
#usr/share/man/man1/cargo-bench.1
#usr/share/man/man1/cargo-build.1
diff --git a/config/rootfiles/common/x86_64/rust b/config/rootfiles/common/x86_64/rust
index e6c0ac5ef..adf16ec7b 100644
--- a/config/rootfiles/common/x86_64/rust
+++ b/config/rootfiles/common/x86_64/rust
@@ -6,9 +6,10 @@
#usr/bin/rustdoc
#usr/etc/bash_completion.d
#usr/etc/bash_completion.d/cargo
-#usr/lib/libLLVM-19-rust-1.85.0-stable.so
-#usr/lib/libLLVM.so.19.1-rust-1.85.0-stable
-#usr/lib/librustc_driver-77ea5bfe5f9d9ec5.so
+#usr/etc/target-spec-json-schema.json
+#usr/lib/libLLVM-21-rust-1.92.0-stable.so
+#usr/lib/libLLVM.so.21.1-rust-1.92.0-stable
+#usr/lib/librustc_driver-d31eb41759495bb2.so
#usr/lib/rustlib
#usr/lib/rustlib/components
#usr/lib/rustlib/etc
@@ -32,43 +33,44 @@
#usr/lib/rustlib/x86_64-unknown-linux-gnu/bin/gcc-ld/ld64.lld
#usr/lib/rustlib/x86_64-unknown-linux-gnu/bin/gcc-ld/lld-link
#usr/lib/rustlib/x86_64-unknown-linux-gnu/bin/gcc-ld/wasm-ld
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/bin/rust-lld
#usr/lib/rustlib/x86_64-unknown-linux-gnu/bin/rust-objcopy
#usr/lib/rustlib/x86_64-unknown-linux-gnu/bin/wasm-component-ld
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libaddr2line-86d8d9428792e8ef.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libadler-fa99f5692b5dce85.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/liballoc-715bc629a88bca60.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcfg_if-f7ee3f1ea78d9dae.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcompiler_builtins-1af05515ab19524a.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcore-406129d0e3fbc101.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libgetopts-d04d0c542852b7d7.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libgimli-10f06487503767c2.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libhashbrown-a7f5bb2f736d3c49.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/liblibc-d3a35665f881365a.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libmemchr-500edd5521c440d4.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libminiz_oxide-376454d49910c786.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libobject-ec6154ccae37a33e.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libpanic_abort-4dabff3cfff0af69.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libpanic_unwind-267e668abf74a283.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libproc_macro-57e423f2e16d22f0.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libprofiler_builtins-39641a735291dd5c.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libaddr2line-11d54e777384a9e5.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libadler2-1e0b0d62df36c85c.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/liballoc-06039bcfba61f665.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcfg_if-6a40188dd7d989d2.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcompiler_builtins-3e2e950d4bac10b5.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcore-5080178c80bf7a93.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libgetopts-c8814943458d63c4.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libgimli-35018e994bad7042.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libhashbrown-2ed6a8f06fc51a9d.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/liblibc-d25e598578fbf080.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libmemchr-09f2ab7e0d97e07a.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libminiz_oxide-5312b588e5cfab93.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libobject-2dc10b344e05b569.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libpanic_abort-e2ab0eec3e5fd91a.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libpanic_unwind-932f22f820d1e5ec.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libproc_macro-f8e79ba97b69012b.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libprofiler_builtins-5fea4b1d5095fe92.rlib
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc-stable_rt.asan.a
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc-stable_rt.dfsan.a
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc-stable_rt.lsan.a
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc-stable_rt.msan.a
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc-stable_rt.safestack.a
#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc-stable_rt.tsan.a
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_demangle-6a38424de1e5bca5.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_alloc-7e368919bdc4a44c.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_core-ae70165d1278cff7.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_std-6cf585dc4073d549.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-6273572f18644c87.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-6273572f18644c87.so
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd_detect-de9763ea1c19dca3.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libsysroot-e9aa32a273745138.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libtest-bb17ba1fa02ea08e.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libunicode_width-7748d1fe0f8acd00.rlib
-#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libunwind-91cafdaf16f7fe40.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_demangle-43b2ff22c18e1125.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_literal_escaper-54d515d7e0ffe0c6.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_alloc-05b02707a5b2a256.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_core-327ea4f353b4eb8c.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_std-c7bda3ac2a6b49f7.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-225863f279df55c4.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-225863f279df55c4.so
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd_detect-5978f0713dd5442d.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libsysroot-85bdb6374f3e9283.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libtest-6c04d4913014a9fc.rlib
+#usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libunwind-94fdfaf0af91a65d.rlib
#usr/libexec/rust-analyzer-proc-macro-srv
#usr/share/cargo
#usr/share/cargo/registry
@@ -78,10 +80,22 @@
#usr/share/doc/cargo/LICENSE-THIRD-PARTY
#usr/share/doc/cargo/README.md
#usr/share/doc/rust
-#usr/share/doc/rust/COPYRIGHT
-#usr/share/doc/rust/LICENSE-APACHE
-#usr/share/doc/rust/LICENSE-MIT
+#usr/share/doc/rust/COPYRIGHT-library.html
+#usr/share/doc/rust/COPYRIGHT.html
#usr/share/doc/rust/README.md
+#usr/share/doc/rust/licenses
+#usr/share/doc/rust/licenses/Apache-2.0.txt
+#usr/share/doc/rust/licenses/BSD-2-Clause.txt
+#usr/share/doc/rust/licenses/CC-BY-SA-4.0.txt
+#usr/share/doc/rust/licenses/GCC-exception-3.1.txt
+#usr/share/doc/rust/licenses/GPL-2.0-only.txt
+#usr/share/doc/rust/licenses/GPL-3.0-or-later.txt
+#usr/share/doc/rust/licenses/ISC.txt
+#usr/share/doc/rust/licenses/LLVM-exception.txt
+#usr/share/doc/rust/licenses/MIT.txt
+#usr/share/doc/rust/licenses/NCSA.txt
+#usr/share/doc/rust/licenses/OFL-1.1.txt
+#usr/share/doc/rust/licenses/Unicode-3.0.txt
#usr/share/man/man1/cargo-add.1
#usr/share/man/man1/cargo-bench.1
#usr/share/man/man1/cargo-build.1
diff --git a/lfs/rust b/lfs/rust
index a122265eb..5cf265c4d 100644
--- a/lfs/rust
+++ b/lfs/rust
@@ -24,12 +24,12 @@
include Config
-VER = 1.85.0
+VER = 1.92.0
# https://forge.rust-lang.org/infra/other-installation-methods.html#standalone-installers
THISAPP = rust-$(VER)
-DL_FILE = $(THISAPP)-$(RUST_PLATFORM).tar.gz
+DL_FILE = $(THISAPP)-$(RUST_PLATFORM).tar.xz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)-$(RUST_PLATFORM)
TARGET = $(DIR_INFO)/$(THISAPP)
@@ -42,9 +42,9 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(THISAPP)-x86_64-unknown-linux-gnu.tar.gz_BLAKE2 = c8df9b124ed155482d445c01a4e4d113206fc5d1bd2c8c55fbcd3462819796a06ec3b5fe8a0943f8eb46ef256673cf50101bb8644fea1565ae612d650f23ece8
-$(THISAPP)-aarch64-unknown-linux-gnu.tar.gz_BLAKE2 = bb5c7085b352e33b5cbfccc3910c2793918c517beb77cd432de60d798de997d0f659f489a08e98fd85e2ea56593b8fb831c9d6a8f78c684712b5bbc35a5824d4
-$(THISAPP)-riscv64gc-unknown-linux-gnu.tar.gz_BLAKE2 = a29aae566e349d597f7ed311c4b7b061c267f9c678b0227930401b8b89ccf56168bbbc168601d8c9d927a116f3efeb1e8ce582e9ca4aec40f270fa0ea9fa9a01
+$(THISAPP)-x86_64-unknown-linux-gnu.tar.xz_BLAKE2 = a4d300f49db610ec30123c68f7b29ea72cf24e543e14f00d3ffafd7a41a25b699fef7b9d62be06a327d4aa08a191c3deca4b7472b7c0c99a0aefa16c7027a7de
+$(THISAPP)-aarch64-unknown-linux-gnu.tar.xz_BLAKE2 = 268524a8066b68dfc2aa4fa524679b3ecc1bf47f74aab47b794eeb0a3ecc76255b7056ad1a852512a52a06802a2dc457bba8c60107d0cb9b464215c344c5430d
+$(THISAPP)-riscv64gc-unknown-linux-gnu.tar.xz_BLAKE2 = e9b200abbd0e294019cd99bb3c6768615ce0bbb7609b3c723a0a57a0d697bdc438c691523f8487b14a9c9397eff0f56b02662b0eb78e057d03100d1ab8d888d6
install : $(TARGET)
@@ -80,9 +80,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--prefix=/usr \
--disable-ldconfig
- # Remove LLVM tools
- rm -vf /usr/lib/rustlib/$(RUST_PLATFORM)/bin/rust-ll{d,vm-dwp}
-
# Create local registry
mkdir -pv $(CARGO_REGISTRY)
--
2.47.3
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 0/3] suricata: Add ability to purge the sgh cache
2026-01-23 5:26 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Stefan Schantl
2026-01-23 5:26 ` [PATCH 1/3] suricata: Add upstream patch to purge sgh-mpm-caches Stefan Schantl
2026-01-23 5:26 ` [PATCH 2/3] rust: Update to 1.92.0 Stefan Schantl
@ 2026-01-23 10:09 ` Michael Tremer
2026-01-23 10:33 ` Adolf Belka
2 siblings, 1 reply; 17+ messages in thread
From: Michael Tremer @ 2026-01-23 10:09 UTC (permalink / raw)
To: Stefan Schantl; +Cc: development
Hello Stefan,
Thank you for this patch.
It baffles me that some functionality that could be implemented in a single find command is pulling in just under one hundred more Rust crates. Shipping crates that even have the word “Windows” in their name is beyond me since we are a Linux distribution.
I understand that we have no other choice in this instance and that we will need these things anyways for any future versions of Suricata.
To state this once more, this is something that seems absolutely unmaintainable to me. The pure quantity of the code that is being added is completely unauditable, well… you all know how I am feeling about this.
I will merge this now and then we will have to have a little conversation about the state of Rust in IPFire.
Best,
-Michael
> On 23 Jan 2026, at 05:26, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> Good morning list followers,
>
> I've recently finished building and testing the patched suricata version
> on my productive system.
>
> When starting the patched suricata or doing a reload operation, all the
> sgh cache files which are older than 7 days have been removed
> successfully.
>
> So for me this changes can be shipped to a bigger group of testers.
>
> Best regards,
>
> -Stefan
>
> Stefan Schantl (3):
> suricata: Add upstream patch to purge sgh-mpm-caches
> rust: Update to 1.92.0
> cbindgen: New package
>
> config/rootfiles/common/aarch64/rust | 130 +-
> config/rootfiles/common/cbindgen | 1 +
> config/rootfiles/common/riscv64/rust | 109 +-
> config/rootfiles/common/rust-adler2 | 15 +
> config/rootfiles/common/rust-anstream | 22 +
> config/rootfiles/common/rust-anstyle | 15 +
> config/rootfiles/common/rust-anstyle-parse | 16 +
> config/rootfiles/common/rust-anstyle-query | 11 +
> config/rootfiles/common/rust-anstyle-wincon | 14 +
> config/rootfiles/common/rust-anyhow | 56 +
> config/rootfiles/common/rust-auditable-serde | 9 +
> config/rootfiles/common/rust-bitflags | 63 +
> config/rootfiles/common/rust-clap | 154 ++
> config/rootfiles/common/rust-clap_builder | 71 +
> config/rootfiles/common/rust-clap_lex | 9 +
> config/rootfiles/common/rust-colorchoice | 8 +
> config/rootfiles/common/rust-crc32fast | 19 +
> config/rootfiles/common/rust-displaydoc | 42 +
> config/rootfiles/common/rust-errno | 16 +
> config/rootfiles/common/rust-fastrand | 16 +
> config/rootfiles/common/rust-flate2 | 71 +
> config/rootfiles/common/rust-form_urlencoded | 8 +
> config/rootfiles/common/rust-getrandom | 85 +-
> config/rootfiles/common/rust-getrandom-0.2.4 | 38 +
> config/rootfiles/common/rust-heck | 17 +
> config/rootfiles/common/rust-humantime | 16 +
> config/rootfiles/common/rust-icu_collections | 85 ++
> config/rootfiles/common/rust-icu_locale_core | 105 ++
> config/rootfiles/common/rust-icu_normalizer | 42 +
> .../rootfiles/common/rust-icu_normalizer_data | 17 +
> config/rootfiles/common/rust-icu_properties | 19 +
> .../rootfiles/common/rust-icu_properties_data | 139 ++
> config/rootfiles/common/rust-icu_provider | 29 +
> config/rootfiles/common/rust-id-arena | 14 +
> config/rootfiles/common/rust-idna | 24 +
> config/rootfiles/common/rust-idna_adapter | 9 +
> .../common/rust-is_terminal_polyfill | 8 +
> config/rootfiles/common/rust-leb128fmt | 9 +
> config/rootfiles/common/rust-libc | 801 ++++++----
> config/rootfiles/common/rust-libc-0.2.108 | 277 ++++
> config/rootfiles/common/rust-linux-raw-sys | 410 +++++
> config/rootfiles/common/rust-litemap | 27 +
> config/rootfiles/common/rust-log | 47 +-
> config/rootfiles/common/rust-log-0.4.14 | 22 +
> config/rootfiles/common/rust-miniz_oxide | 24 +
> config/rootfiles/common/rust-once_cell | 55 +-
> config/rootfiles/common/rust-once_cell-1.9.0 | 24 +
> .../rootfiles/common/rust-once_cell_polyfill | 10 +
> config/rootfiles/common/rust-percent-encoding | 9 +
> config/rootfiles/common/rust-potential_utf | 10 +
> config/rootfiles/common/rust-prettyplease | 39 +
> config/rootfiles/common/rust-r-efi | 71 +
> config/rootfiles/common/rust-rustix | 403 +++++
> config/rootfiles/common/rust-semver | 42 +-
> config/rootfiles/common/rust-semver-0.9.0 | 15 +
> config/rootfiles/common/rust-semver-parser | 33 +-
> .../rootfiles/common/rust-semver-parser-0.7.0 | 12 +
> config/rootfiles/common/rust-serde | 71 +-
> config/rootfiles/common/rust-serde-1.0.216 | 32 +
> config/rootfiles/common/rust-serde_core | 31 +
> config/rootfiles/common/rust-serde_derive | 67 +-
> .../common/rust-serde_derive-1.0.216 | 28 +
> config/rootfiles/common/rust-simd-adler32 | 19 +
> config/rootfiles/common/rust-smallvec | 40 +-
> config/rootfiles/common/rust-smallvec-1.8.0 | 18 +
> config/rootfiles/common/rust-spdx | 605 ++++++++
> .../rootfiles/common/rust-stable_deref_trait | 18 +-
> config/rootfiles/common/rust-strsim | 14 +
> config/rootfiles/common/rust-syn | 225 +--
> config/rootfiles/common/rust-syn-2.0.90 | 111 ++
> config/rootfiles/common/rust-synstructure | 16 +-
> config/rootfiles/common/rust-tempfile | 32 +
> config/rootfiles/common/rust-tinystr | 25 +
> config/rootfiles/common/rust-topological-sort | 9 +
> config/rootfiles/common/rust-unicode-xid | 30 +-
> .../rootfiles/common/rust-unicode-xid-0.2.1 | 14 +
> config/rootfiles/common/rust-url | 20 +
> config/rootfiles/common/rust-utf16_iter | 12 +
> config/rootfiles/common/rust-utf8_iter | 12 +
> config/rootfiles/common/rust-utf8parse | 12 +
> config/rootfiles/common/rust-wasip2 | 30 +
> config/rootfiles/common/rust-wasm-encoder | 45 +
> config/rootfiles/common/rust-wasm-metadata | 31 +
> config/rootfiles/common/rust-wasmparser | 79 +
> config/rootfiles/common/rust-windows-link | 9 +
> config/rootfiles/common/rust-windows-sys | 505 +++++++
> config/rootfiles/common/rust-wit-bindgen | 42 +
> config/rootfiles/common/rust-wit-bindgen-core | 15 +
> config/rootfiles/common/rust-wit-bindgen-rust | 21 +
> .../common/rust-wit-bindgen-rust-macro | 10 +
> config/rootfiles/common/rust-wit-component | 1006 +++++++++++++
> config/rootfiles/common/rust-wit-parser | 621 ++++++++
> config/rootfiles/common/rust-write16 | 10 +
> config/rootfiles/common/rust-writeable | 23 +
> config/rootfiles/common/rust-yoke | 18 +
> config/rootfiles/common/rust-yoke-derive | 11 +
> config/rootfiles/common/rust-zerofrom | 9 +
> config/rootfiles/common/rust-zerofrom-derive | 11 +
> config/rootfiles/common/rust-zerotrie | 44 +
> config/rootfiles/common/rust-zerovec | 69 +
> config/rootfiles/common/rust-zerovec-derive | 17 +
> config/rootfiles/common/x86_64/rust | 82 +-
> config/suricata/suricata.yaml | 1 +
> lfs/cbindgen | 80 +
> lfs/rust | 13 +-
> lfs/rust-adler2 | 81 +
> lfs/rust-anstream | 81 +
> lfs/rust-anstyle | 81 +
> lfs/rust-anstyle-parse | 81 +
> lfs/rust-anstyle-query | 81 +
> lfs/rust-anstyle-wincon | 81 +
> lfs/rust-anyhow | 81 +
> lfs/rust-auditable-serde | 81 +
> lfs/rust-bitflags | 81 +
> lfs/rust-clap | 81 +
> lfs/rust-clap_builder | 81 +
> lfs/rust-clap_lex | 81 +
> lfs/rust-colorchoice | 81 +
> lfs/rust-crc32fast | 81 +
> lfs/rust-displaydoc | 81 +
> lfs/rust-errno | 81 +
> lfs/rust-fastrand | 81 +
> lfs/rust-flate2 | 81 +
> lfs/rust-form_urlencoded | 81 +
> lfs/rust-getrandom | 8 +-
> lfs/rust-getrandom-0.2.4 | 81 +
> lfs/rust-heck | 81 +
> lfs/rust-humantime | 81 +
> lfs/rust-icu_collections | 81 +
> lfs/rust-icu_locale_core | 81 +
> lfs/rust-icu_normalizer | 81 +
> lfs/rust-icu_normalizer_data | 81 +
> lfs/rust-icu_properties | 81 +
> lfs/rust-icu_properties_data | 81 +
> lfs/rust-icu_provider | 81 +
> lfs/rust-id-arena | 81 +
> lfs/rust-idna | 81 +
> lfs/rust-idna_adapter | 81 +
> lfs/rust-is_terminal_polyfill | 81 +
> lfs/rust-leb128fmt | 81 +
> lfs/rust-libc | 7 +-
> lfs/rust-libc-0.2.108 | 80 +
> lfs/rust-linux-raw-sys | 81 +
> lfs/rust-litemap | 81 +
> lfs/rust-log | 12 +-
> lfs/rust-log-0.4.14 | 85 ++
> lfs/rust-miniz_oxide | 81 +
> lfs/rust-once_cell | 12 +-
> lfs/rust-once_cell-1.9.0 | 85 ++
> lfs/rust-once_cell_polyfill | 81 +
> lfs/rust-percent-encoding | 81 +
> lfs/rust-potential_utf | 81 +
> lfs/rust-prettyplease | 81 +
> lfs/rust-r-efi | 81 +
> lfs/rust-rustix | 81 +
> lfs/rust-semver | 12 +-
> lfs/rust-semver-0.9.0 | 85 ++
> lfs/rust-semver-parser | 7 +-
> lfs/rust-semver-parser-0.7.0 | 80 +
> lfs/rust-serde | 4 +-
> lfs/rust-serde-1.0.216 | 81 +
> lfs/rust-serde_core | 81 +
> lfs/rust-serde_derive | 4 +-
> lfs/rust-serde_derive-1.0.216 | 81 +
> lfs/rust-simd-adler32 | 81 +
> lfs/rust-smallvec | 12 +-
> lfs/rust-smallvec-1.8.0 | 85 ++
> lfs/rust-spdx | 81 +
> lfs/rust-stable_deref_trait | 12 +-
> lfs/rust-strsim | 81 +
> lfs/rust-syn | 4 +-
> lfs/rust-syn-2.0.90 | 81 +
> lfs/rust-synstructure | 4 +-
> lfs/rust-tempfile | 81 +
> lfs/rust-tinystr | 81 +
> lfs/rust-topological-sort | 81 +
> lfs/rust-unicode-xid | 7 +-
> lfs/rust-unicode-xid-0.2.1 | 80 +
> lfs/rust-url | 81 +
> lfs/rust-utf16_iter | 81 +
> lfs/rust-utf8_iter | 81 +
> lfs/rust-utf8parse | 81 +
> lfs/rust-wasip2 | 81 +
> lfs/rust-wasm-encoder | 81 +
> lfs/rust-wasm-metadata | 81 +
> lfs/rust-wasmparser | 81 +
> lfs/rust-windows-link | 81 +
> lfs/rust-windows-sys | 81 +
> lfs/rust-wit-bindgen | 81 +
> lfs/rust-wit-bindgen-core | 81 +
> lfs/rust-wit-bindgen-rust | 81 +
> lfs/rust-wit-bindgen-rust-macro | 81 +
> lfs/rust-wit-component | 81 +
> lfs/rust-wit-parser | 81 +
> lfs/rust-write16 | 81 +
> lfs/rust-writeable | 81 +
> lfs/rust-yoke | 81 +
> lfs/rust-yoke-derive | 81 +
> lfs/rust-zerofrom | 81 +
> lfs/rust-zerofrom-derive | 81 +
> lfs/rust-zerotrie | 81 +
> lfs/rust-zerovec | 81 +
> lfs/rust-zerovec-derive | 81 +
> lfs/suricata | 13 +-
> make.sh | 133 +-
> ...suricata-8.0.3-purge-hyperscan-cache.patch | 1341 +++++++++++++++++
> 206 files changed, 15762 insertions(+), 853 deletions(-)
> create mode 100644 config/rootfiles/common/cbindgen
> create mode 100644 config/rootfiles/common/rust-adler2
> create mode 100644 config/rootfiles/common/rust-anstream
> create mode 100644 config/rootfiles/common/rust-anstyle
> create mode 100644 config/rootfiles/common/rust-anstyle-parse
> create mode 100644 config/rootfiles/common/rust-anstyle-query
> create mode 100644 config/rootfiles/common/rust-anstyle-wincon
> create mode 100644 config/rootfiles/common/rust-anyhow
> create mode 100644 config/rootfiles/common/rust-auditable-serde
> create mode 100644 config/rootfiles/common/rust-bitflags
> create mode 100644 config/rootfiles/common/rust-clap
> create mode 100644 config/rootfiles/common/rust-clap_builder
> create mode 100644 config/rootfiles/common/rust-clap_lex
> create mode 100644 config/rootfiles/common/rust-colorchoice
> create mode 100644 config/rootfiles/common/rust-crc32fast
> create mode 100644 config/rootfiles/common/rust-displaydoc
> create mode 100644 config/rootfiles/common/rust-errno
> create mode 100644 config/rootfiles/common/rust-fastrand
> create mode 100644 config/rootfiles/common/rust-flate2
> create mode 100644 config/rootfiles/common/rust-form_urlencoded
> create mode 100644 config/rootfiles/common/rust-getrandom-0.2.4
> create mode 100644 config/rootfiles/common/rust-heck
> create mode 100644 config/rootfiles/common/rust-humantime
> create mode 100644 config/rootfiles/common/rust-icu_collections
> create mode 100644 config/rootfiles/common/rust-icu_locale_core
> create mode 100644 config/rootfiles/common/rust-icu_normalizer
> create mode 100644 config/rootfiles/common/rust-icu_normalizer_data
> create mode 100644 config/rootfiles/common/rust-icu_properties
> create mode 100644 config/rootfiles/common/rust-icu_properties_data
> create mode 100644 config/rootfiles/common/rust-icu_provider
> create mode 100644 config/rootfiles/common/rust-id-arena
> create mode 100644 config/rootfiles/common/rust-idna
> create mode 100644 config/rootfiles/common/rust-idna_adapter
> create mode 100644 config/rootfiles/common/rust-is_terminal_polyfill
> create mode 100644 config/rootfiles/common/rust-leb128fmt
> create mode 100644 config/rootfiles/common/rust-libc-0.2.108
> create mode 100644 config/rootfiles/common/rust-linux-raw-sys
> create mode 100644 config/rootfiles/common/rust-litemap
> create mode 100644 config/rootfiles/common/rust-log-0.4.14
> create mode 100644 config/rootfiles/common/rust-miniz_oxide
> create mode 100644 config/rootfiles/common/rust-once_cell-1.9.0
> create mode 100644 config/rootfiles/common/rust-once_cell_polyfill
> create mode 100644 config/rootfiles/common/rust-percent-encoding
> create mode 100644 config/rootfiles/common/rust-potential_utf
> create mode 100644 config/rootfiles/common/rust-prettyplease
> create mode 100644 config/rootfiles/common/rust-r-efi
> create mode 100644 config/rootfiles/common/rust-rustix
> create mode 100644 config/rootfiles/common/rust-semver-0.9.0
> create mode 100644 config/rootfiles/common/rust-semver-parser-0.7.0
> create mode 100644 config/rootfiles/common/rust-serde-1.0.216
> create mode 100644 config/rootfiles/common/rust-serde_core
> create mode 100644 config/rootfiles/common/rust-serde_derive-1.0.216
> create mode 100644 config/rootfiles/common/rust-simd-adler32
> create mode 100644 config/rootfiles/common/rust-smallvec-1.8.0
> create mode 100644 config/rootfiles/common/rust-spdx
> create mode 100644 config/rootfiles/common/rust-strsim
> create mode 100644 config/rootfiles/common/rust-syn-2.0.90
> create mode 100644 config/rootfiles/common/rust-tempfile
> create mode 100644 config/rootfiles/common/rust-tinystr
> create mode 100644 config/rootfiles/common/rust-topological-sort
> create mode 100644 config/rootfiles/common/rust-unicode-xid-0.2.1
> create mode 100644 config/rootfiles/common/rust-url
> create mode 100644 config/rootfiles/common/rust-utf16_iter
> create mode 100644 config/rootfiles/common/rust-utf8_iter
> create mode 100644 config/rootfiles/common/rust-utf8parse
> create mode 100644 config/rootfiles/common/rust-wasip2
> create mode 100644 config/rootfiles/common/rust-wasm-encoder
> create mode 100644 config/rootfiles/common/rust-wasm-metadata
> create mode 100644 config/rootfiles/common/rust-wasmparser
> create mode 100644 config/rootfiles/common/rust-windows-link
> create mode 100644 config/rootfiles/common/rust-windows-sys
> create mode 100644 config/rootfiles/common/rust-wit-bindgen
> create mode 100644 config/rootfiles/common/rust-wit-bindgen-core
> create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust
> create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust-macro
> create mode 100644 config/rootfiles/common/rust-wit-component
> create mode 100644 config/rootfiles/common/rust-wit-parser
> create mode 100644 config/rootfiles/common/rust-write16
> create mode 100644 config/rootfiles/common/rust-writeable
> create mode 100644 config/rootfiles/common/rust-yoke
> create mode 100644 config/rootfiles/common/rust-yoke-derive
> create mode 100644 config/rootfiles/common/rust-zerofrom
> create mode 100644 config/rootfiles/common/rust-zerofrom-derive
> create mode 100644 config/rootfiles/common/rust-zerotrie
> create mode 100644 config/rootfiles/common/rust-zerovec
> create mode 100644 config/rootfiles/common/rust-zerovec-derive
> create mode 100644 lfs/cbindgen
> create mode 100644 lfs/rust-adler2
> create mode 100644 lfs/rust-anstream
> create mode 100644 lfs/rust-anstyle
> create mode 100644 lfs/rust-anstyle-parse
> create mode 100644 lfs/rust-anstyle-query
> create mode 100644 lfs/rust-anstyle-wincon
> create mode 100644 lfs/rust-anyhow
> create mode 100644 lfs/rust-auditable-serde
> create mode 100644 lfs/rust-bitflags
> create mode 100644 lfs/rust-clap
> create mode 100644 lfs/rust-clap_builder
> create mode 100644 lfs/rust-clap_lex
> create mode 100644 lfs/rust-colorchoice
> create mode 100644 lfs/rust-crc32fast
> create mode 100644 lfs/rust-displaydoc
> create mode 100644 lfs/rust-errno
> create mode 100644 lfs/rust-fastrand
> create mode 100644 lfs/rust-flate2
> create mode 100644 lfs/rust-form_urlencoded
> create mode 100644 lfs/rust-getrandom-0.2.4
> create mode 100644 lfs/rust-heck
> create mode 100644 lfs/rust-humantime
> create mode 100644 lfs/rust-icu_collections
> create mode 100644 lfs/rust-icu_locale_core
> create mode 100644 lfs/rust-icu_normalizer
> create mode 100644 lfs/rust-icu_normalizer_data
> create mode 100644 lfs/rust-icu_properties
> create mode 100644 lfs/rust-icu_properties_data
> create mode 100644 lfs/rust-icu_provider
> create mode 100644 lfs/rust-id-arena
> create mode 100644 lfs/rust-idna
> create mode 100644 lfs/rust-idna_adapter
> create mode 100644 lfs/rust-is_terminal_polyfill
> create mode 100644 lfs/rust-leb128fmt
> create mode 100644 lfs/rust-libc-0.2.108
> create mode 100644 lfs/rust-linux-raw-sys
> create mode 100644 lfs/rust-litemap
> create mode 100644 lfs/rust-log-0.4.14
> create mode 100644 lfs/rust-miniz_oxide
> create mode 100644 lfs/rust-once_cell-1.9.0
> create mode 100644 lfs/rust-once_cell_polyfill
> create mode 100644 lfs/rust-percent-encoding
> create mode 100644 lfs/rust-potential_utf
> create mode 100644 lfs/rust-prettyplease
> create mode 100644 lfs/rust-r-efi
> create mode 100644 lfs/rust-rustix
> create mode 100644 lfs/rust-semver-0.9.0
> create mode 100644 lfs/rust-semver-parser-0.7.0
> create mode 100644 lfs/rust-serde-1.0.216
> create mode 100644 lfs/rust-serde_core
> create mode 100644 lfs/rust-serde_derive-1.0.216
> create mode 100644 lfs/rust-simd-adler32
> create mode 100644 lfs/rust-smallvec-1.8.0
> create mode 100644 lfs/rust-spdx
> create mode 100644 lfs/rust-strsim
> create mode 100644 lfs/rust-syn-2.0.90
> create mode 100644 lfs/rust-tempfile
> create mode 100644 lfs/rust-tinystr
> create mode 100644 lfs/rust-topological-sort
> create mode 100644 lfs/rust-unicode-xid-0.2.1
> create mode 100644 lfs/rust-url
> create mode 100644 lfs/rust-utf16_iter
> create mode 100644 lfs/rust-utf8_iter
> create mode 100644 lfs/rust-utf8parse
> create mode 100644 lfs/rust-wasip2
> create mode 100644 lfs/rust-wasm-encoder
> create mode 100644 lfs/rust-wasm-metadata
> create mode 100644 lfs/rust-wasmparser
> create mode 100644 lfs/rust-windows-link
> create mode 100644 lfs/rust-windows-sys
> create mode 100644 lfs/rust-wit-bindgen
> create mode 100644 lfs/rust-wit-bindgen-core
> create mode 100644 lfs/rust-wit-bindgen-rust
> create mode 100644 lfs/rust-wit-bindgen-rust-macro
> create mode 100644 lfs/rust-wit-component
> create mode 100644 lfs/rust-wit-parser
> create mode 100644 lfs/rust-write16
> create mode 100644 lfs/rust-writeable
> create mode 100644 lfs/rust-yoke
> create mode 100644 lfs/rust-yoke-derive
> create mode 100644 lfs/rust-zerofrom
> create mode 100644 lfs/rust-zerofrom-derive
> create mode 100644 lfs/rust-zerotrie
> create mode 100644 lfs/rust-zerovec
> create mode 100644 lfs/rust-zerovec-derive
> create mode 100644 src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
>
> --
> 2.47.3
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-22 17:38 Updating rust and eco system Stefan Schantl
2026-01-23 5:26 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Stefan Schantl
@ 2026-01-23 10:31 ` Michael Tremer
2026-01-23 11:06 ` Adolf Belka
1 sibling, 1 reply; 17+ messages in thread
From: Michael Tremer @ 2026-01-23 10:31 UTC (permalink / raw)
To: Stefan Schantl; +Cc: development
Hello Stefan,
Hello list,
Thank you for looking at this. Of course it is very important that we are able to stay on the latest version of Suricata.
I have merged your monster of a patch so that we can move on for now, but I have a couple of bigger questions that we all should have a look at:
Adolf has in the past spent a lot of time on updating Rust. This is all tapping into Python - or rather python-cryptography - having some Rust code that has further dependencies. In essence, it has been a huge headache to update this. Maybe Adolf even has some other words for this all.
Just building cbindgen has required a further ~98 Rust crates to be packaged. Often we have the same crate in different versions because other crates have pinned a specific version. In total, we currently have ~790 packages in IPFire. Out of those, there are 202 packages in the rust-* namespace. That is pretty much a quarter of the distribution. Although not a lot in size, this is a considerable maintenance burden.
ClamAV and Suricata have (recently?) started to bundle all their Rust dependencies with their release tarballs. Although this is not a good thing for many other reasons, it will move the onus onto the upstream projects to provide whatever they need. If their dependencies (and the dependencies of their dependencies) explode, this is not really our problem any more as well as any supply chain problems. Great - within reason.
That leaves us with only very few packages that would actually require any external Rust crates (Suricata is even configured to *exclusively* use their bundled crates): cbindgen as a new thing, python-cryptography, anything else? We might actually only need a fraction of the Rust crates that we currently have as the only packages that may actually tap into our locally built repository are only those two.
Is anyone happy to give this all a try and cleanup any old Rust deps? That way, I hope we will have a much smoother ride moving forward with a Python update.
All the best,
-Michael
> On 22 Jan 2026, at 17:38, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> Hello list followers,
>
> I'm currently updating rust and affected modules.
>
> This happends mainly because I'm trying to fix the "suricata cache
> grows infinite" problem, which a lot of people are affected.
>
> To archive this, I ported the patches from suricata main development
> branch to our used suricata version (8.0.3).
>
> To perform a full build, a new tool called cbindgen - which is a rust
> to c bindings generator, is required.
>
> Sadly this tool is also written in rust and requires some new
> dependencies and a more up to date rust compiler.
>
> I hope to send a patchset for all this very soon to the mailing list.
>
> Best regards,
>
> -Stefan
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 0/3] suricata: Add ability to purge the sgh cache
2026-01-23 10:09 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Michael Tremer
@ 2026-01-23 10:33 ` Adolf Belka
2026-01-23 10:43 ` Michael Tremer
0 siblings, 1 reply; 17+ messages in thread
From: Adolf Belka @ 2026-01-23 10:33 UTC (permalink / raw)
To: Michael Tremer; +Cc: Stefan Schantl, IPFire: Development-List
Hi Michael,
On 23/01/2026 11:09, Michael Tremer wrote:
> Hello Stefan,
>
> Thank you for this patch.
>
> It baffles me that some functionality that could be implemented in a single find command is pulling in just under one hundred more Rust crates. Shipping crates that even have the word “Windows” in their name is beyond me since we are a Linux distribution.
This is happening because we are building the rust crates in offline mode and so it is up to us to figure out which OS we should be supporting.
So you have to patch the Cargo.toml file in the rust module tarball to disable or remove any entries related to windows or wasm or any other OS that is not linux and where building the module tries to bring additional modules not related to Linux.
This is something I have had to do with every Rust update and also with all my attempts with the Python update that also ends up needing updated and many additional rust modules.
The good thing is that a lot of what Stefan has built here, except for the windows crates, are also required for the python update.
On that point I will send out a separate email regarding my status and position.
>
> I understand that we have no other choice in this instance and that we will need these things anyways for any future versions of Suricata.
>
> To state this once more, this is something that seems absolutely unmaintainable to me. The pure quantity of the code that is being added is completely unauditable, well… you all know how I am feeling about this.
>
> I will merge this now and then we will have to have a little conversation about the state of Rust in IPFire.
That would be a good topic to discuss.
Regards,
Adolf.
>
> Best,
> -Michael
>
>> On 23 Jan 2026, at 05:26, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>
>> Good morning list followers,
>>
>> I've recently finished building and testing the patched suricata version
>> on my productive system.
>>
>> When starting the patched suricata or doing a reload operation, all the
>> sgh cache files which are older than 7 days have been removed
>> successfully.
>>
>> So for me this changes can be shipped to a bigger group of testers.
>>
>> Best regards,
>>
>> -Stefan
>>
>> Stefan Schantl (3):
>> suricata: Add upstream patch to purge sgh-mpm-caches
>> rust: Update to 1.92.0
>> cbindgen: New package
>>
>> config/rootfiles/common/aarch64/rust | 130 +-
>> config/rootfiles/common/cbindgen | 1 +
>> config/rootfiles/common/riscv64/rust | 109 +-
>> config/rootfiles/common/rust-adler2 | 15 +
>> config/rootfiles/common/rust-anstream | 22 +
>> config/rootfiles/common/rust-anstyle | 15 +
>> config/rootfiles/common/rust-anstyle-parse | 16 +
>> config/rootfiles/common/rust-anstyle-query | 11 +
>> config/rootfiles/common/rust-anstyle-wincon | 14 +
>> config/rootfiles/common/rust-anyhow | 56 +
>> config/rootfiles/common/rust-auditable-serde | 9 +
>> config/rootfiles/common/rust-bitflags | 63 +
>> config/rootfiles/common/rust-clap | 154 ++
>> config/rootfiles/common/rust-clap_builder | 71 +
>> config/rootfiles/common/rust-clap_lex | 9 +
>> config/rootfiles/common/rust-colorchoice | 8 +
>> config/rootfiles/common/rust-crc32fast | 19 +
>> config/rootfiles/common/rust-displaydoc | 42 +
>> config/rootfiles/common/rust-errno | 16 +
>> config/rootfiles/common/rust-fastrand | 16 +
>> config/rootfiles/common/rust-flate2 | 71 +
>> config/rootfiles/common/rust-form_urlencoded | 8 +
>> config/rootfiles/common/rust-getrandom | 85 +-
>> config/rootfiles/common/rust-getrandom-0.2.4 | 38 +
>> config/rootfiles/common/rust-heck | 17 +
>> config/rootfiles/common/rust-humantime | 16 +
>> config/rootfiles/common/rust-icu_collections | 85 ++
>> config/rootfiles/common/rust-icu_locale_core | 105 ++
>> config/rootfiles/common/rust-icu_normalizer | 42 +
>> .../rootfiles/common/rust-icu_normalizer_data | 17 +
>> config/rootfiles/common/rust-icu_properties | 19 +
>> .../rootfiles/common/rust-icu_properties_data | 139 ++
>> config/rootfiles/common/rust-icu_provider | 29 +
>> config/rootfiles/common/rust-id-arena | 14 +
>> config/rootfiles/common/rust-idna | 24 +
>> config/rootfiles/common/rust-idna_adapter | 9 +
>> .../common/rust-is_terminal_polyfill | 8 +
>> config/rootfiles/common/rust-leb128fmt | 9 +
>> config/rootfiles/common/rust-libc | 801 ++++++----
>> config/rootfiles/common/rust-libc-0.2.108 | 277 ++++
>> config/rootfiles/common/rust-linux-raw-sys | 410 +++++
>> config/rootfiles/common/rust-litemap | 27 +
>> config/rootfiles/common/rust-log | 47 +-
>> config/rootfiles/common/rust-log-0.4.14 | 22 +
>> config/rootfiles/common/rust-miniz_oxide | 24 +
>> config/rootfiles/common/rust-once_cell | 55 +-
>> config/rootfiles/common/rust-once_cell-1.9.0 | 24 +
>> .../rootfiles/common/rust-once_cell_polyfill | 10 +
>> config/rootfiles/common/rust-percent-encoding | 9 +
>> config/rootfiles/common/rust-potential_utf | 10 +
>> config/rootfiles/common/rust-prettyplease | 39 +
>> config/rootfiles/common/rust-r-efi | 71 +
>> config/rootfiles/common/rust-rustix | 403 +++++
>> config/rootfiles/common/rust-semver | 42 +-
>> config/rootfiles/common/rust-semver-0.9.0 | 15 +
>> config/rootfiles/common/rust-semver-parser | 33 +-
>> .../rootfiles/common/rust-semver-parser-0.7.0 | 12 +
>> config/rootfiles/common/rust-serde | 71 +-
>> config/rootfiles/common/rust-serde-1.0.216 | 32 +
>> config/rootfiles/common/rust-serde_core | 31 +
>> config/rootfiles/common/rust-serde_derive | 67 +-
>> .../common/rust-serde_derive-1.0.216 | 28 +
>> config/rootfiles/common/rust-simd-adler32 | 19 +
>> config/rootfiles/common/rust-smallvec | 40 +-
>> config/rootfiles/common/rust-smallvec-1.8.0 | 18 +
>> config/rootfiles/common/rust-spdx | 605 ++++++++
>> .../rootfiles/common/rust-stable_deref_trait | 18 +-
>> config/rootfiles/common/rust-strsim | 14 +
>> config/rootfiles/common/rust-syn | 225 +--
>> config/rootfiles/common/rust-syn-2.0.90 | 111 ++
>> config/rootfiles/common/rust-synstructure | 16 +-
>> config/rootfiles/common/rust-tempfile | 32 +
>> config/rootfiles/common/rust-tinystr | 25 +
>> config/rootfiles/common/rust-topological-sort | 9 +
>> config/rootfiles/common/rust-unicode-xid | 30 +-
>> .../rootfiles/common/rust-unicode-xid-0.2.1 | 14 +
>> config/rootfiles/common/rust-url | 20 +
>> config/rootfiles/common/rust-utf16_iter | 12 +
>> config/rootfiles/common/rust-utf8_iter | 12 +
>> config/rootfiles/common/rust-utf8parse | 12 +
>> config/rootfiles/common/rust-wasip2 | 30 +
>> config/rootfiles/common/rust-wasm-encoder | 45 +
>> config/rootfiles/common/rust-wasm-metadata | 31 +
>> config/rootfiles/common/rust-wasmparser | 79 +
>> config/rootfiles/common/rust-windows-link | 9 +
>> config/rootfiles/common/rust-windows-sys | 505 +++++++
>> config/rootfiles/common/rust-wit-bindgen | 42 +
>> config/rootfiles/common/rust-wit-bindgen-core | 15 +
>> config/rootfiles/common/rust-wit-bindgen-rust | 21 +
>> .../common/rust-wit-bindgen-rust-macro | 10 +
>> config/rootfiles/common/rust-wit-component | 1006 +++++++++++++
>> config/rootfiles/common/rust-wit-parser | 621 ++++++++
>> config/rootfiles/common/rust-write16 | 10 +
>> config/rootfiles/common/rust-writeable | 23 +
>> config/rootfiles/common/rust-yoke | 18 +
>> config/rootfiles/common/rust-yoke-derive | 11 +
>> config/rootfiles/common/rust-zerofrom | 9 +
>> config/rootfiles/common/rust-zerofrom-derive | 11 +
>> config/rootfiles/common/rust-zerotrie | 44 +
>> config/rootfiles/common/rust-zerovec | 69 +
>> config/rootfiles/common/rust-zerovec-derive | 17 +
>> config/rootfiles/common/x86_64/rust | 82 +-
>> config/suricata/suricata.yaml | 1 +
>> lfs/cbindgen | 80 +
>> lfs/rust | 13 +-
>> lfs/rust-adler2 | 81 +
>> lfs/rust-anstream | 81 +
>> lfs/rust-anstyle | 81 +
>> lfs/rust-anstyle-parse | 81 +
>> lfs/rust-anstyle-query | 81 +
>> lfs/rust-anstyle-wincon | 81 +
>> lfs/rust-anyhow | 81 +
>> lfs/rust-auditable-serde | 81 +
>> lfs/rust-bitflags | 81 +
>> lfs/rust-clap | 81 +
>> lfs/rust-clap_builder | 81 +
>> lfs/rust-clap_lex | 81 +
>> lfs/rust-colorchoice | 81 +
>> lfs/rust-crc32fast | 81 +
>> lfs/rust-displaydoc | 81 +
>> lfs/rust-errno | 81 +
>> lfs/rust-fastrand | 81 +
>> lfs/rust-flate2 | 81 +
>> lfs/rust-form_urlencoded | 81 +
>> lfs/rust-getrandom | 8 +-
>> lfs/rust-getrandom-0.2.4 | 81 +
>> lfs/rust-heck | 81 +
>> lfs/rust-humantime | 81 +
>> lfs/rust-icu_collections | 81 +
>> lfs/rust-icu_locale_core | 81 +
>> lfs/rust-icu_normalizer | 81 +
>> lfs/rust-icu_normalizer_data | 81 +
>> lfs/rust-icu_properties | 81 +
>> lfs/rust-icu_properties_data | 81 +
>> lfs/rust-icu_provider | 81 +
>> lfs/rust-id-arena | 81 +
>> lfs/rust-idna | 81 +
>> lfs/rust-idna_adapter | 81 +
>> lfs/rust-is_terminal_polyfill | 81 +
>> lfs/rust-leb128fmt | 81 +
>> lfs/rust-libc | 7 +-
>> lfs/rust-libc-0.2.108 | 80 +
>> lfs/rust-linux-raw-sys | 81 +
>> lfs/rust-litemap | 81 +
>> lfs/rust-log | 12 +-
>> lfs/rust-log-0.4.14 | 85 ++
>> lfs/rust-miniz_oxide | 81 +
>> lfs/rust-once_cell | 12 +-
>> lfs/rust-once_cell-1.9.0 | 85 ++
>> lfs/rust-once_cell_polyfill | 81 +
>> lfs/rust-percent-encoding | 81 +
>> lfs/rust-potential_utf | 81 +
>> lfs/rust-prettyplease | 81 +
>> lfs/rust-r-efi | 81 +
>> lfs/rust-rustix | 81 +
>> lfs/rust-semver | 12 +-
>> lfs/rust-semver-0.9.0 | 85 ++
>> lfs/rust-semver-parser | 7 +-
>> lfs/rust-semver-parser-0.7.0 | 80 +
>> lfs/rust-serde | 4 +-
>> lfs/rust-serde-1.0.216 | 81 +
>> lfs/rust-serde_core | 81 +
>> lfs/rust-serde_derive | 4 +-
>> lfs/rust-serde_derive-1.0.216 | 81 +
>> lfs/rust-simd-adler32 | 81 +
>> lfs/rust-smallvec | 12 +-
>> lfs/rust-smallvec-1.8.0 | 85 ++
>> lfs/rust-spdx | 81 +
>> lfs/rust-stable_deref_trait | 12 +-
>> lfs/rust-strsim | 81 +
>> lfs/rust-syn | 4 +-
>> lfs/rust-syn-2.0.90 | 81 +
>> lfs/rust-synstructure | 4 +-
>> lfs/rust-tempfile | 81 +
>> lfs/rust-tinystr | 81 +
>> lfs/rust-topological-sort | 81 +
>> lfs/rust-unicode-xid | 7 +-
>> lfs/rust-unicode-xid-0.2.1 | 80 +
>> lfs/rust-url | 81 +
>> lfs/rust-utf16_iter | 81 +
>> lfs/rust-utf8_iter | 81 +
>> lfs/rust-utf8parse | 81 +
>> lfs/rust-wasip2 | 81 +
>> lfs/rust-wasm-encoder | 81 +
>> lfs/rust-wasm-metadata | 81 +
>> lfs/rust-wasmparser | 81 +
>> lfs/rust-windows-link | 81 +
>> lfs/rust-windows-sys | 81 +
>> lfs/rust-wit-bindgen | 81 +
>> lfs/rust-wit-bindgen-core | 81 +
>> lfs/rust-wit-bindgen-rust | 81 +
>> lfs/rust-wit-bindgen-rust-macro | 81 +
>> lfs/rust-wit-component | 81 +
>> lfs/rust-wit-parser | 81 +
>> lfs/rust-write16 | 81 +
>> lfs/rust-writeable | 81 +
>> lfs/rust-yoke | 81 +
>> lfs/rust-yoke-derive | 81 +
>> lfs/rust-zerofrom | 81 +
>> lfs/rust-zerofrom-derive | 81 +
>> lfs/rust-zerotrie | 81 +
>> lfs/rust-zerovec | 81 +
>> lfs/rust-zerovec-derive | 81 +
>> lfs/suricata | 13 +-
>> make.sh | 133 +-
>> ...suricata-8.0.3-purge-hyperscan-cache.patch | 1341 +++++++++++++++++
>> 206 files changed, 15762 insertions(+), 853 deletions(-)
>> create mode 100644 config/rootfiles/common/cbindgen
>> create mode 100644 config/rootfiles/common/rust-adler2
>> create mode 100644 config/rootfiles/common/rust-anstream
>> create mode 100644 config/rootfiles/common/rust-anstyle
>> create mode 100644 config/rootfiles/common/rust-anstyle-parse
>> create mode 100644 config/rootfiles/common/rust-anstyle-query
>> create mode 100644 config/rootfiles/common/rust-anstyle-wincon
>> create mode 100644 config/rootfiles/common/rust-anyhow
>> create mode 100644 config/rootfiles/common/rust-auditable-serde
>> create mode 100644 config/rootfiles/common/rust-bitflags
>> create mode 100644 config/rootfiles/common/rust-clap
>> create mode 100644 config/rootfiles/common/rust-clap_builder
>> create mode 100644 config/rootfiles/common/rust-clap_lex
>> create mode 100644 config/rootfiles/common/rust-colorchoice
>> create mode 100644 config/rootfiles/common/rust-crc32fast
>> create mode 100644 config/rootfiles/common/rust-displaydoc
>> create mode 100644 config/rootfiles/common/rust-errno
>> create mode 100644 config/rootfiles/common/rust-fastrand
>> create mode 100644 config/rootfiles/common/rust-flate2
>> create mode 100644 config/rootfiles/common/rust-form_urlencoded
>> create mode 100644 config/rootfiles/common/rust-getrandom-0.2.4
>> create mode 100644 config/rootfiles/common/rust-heck
>> create mode 100644 config/rootfiles/common/rust-humantime
>> create mode 100644 config/rootfiles/common/rust-icu_collections
>> create mode 100644 config/rootfiles/common/rust-icu_locale_core
>> create mode 100644 config/rootfiles/common/rust-icu_normalizer
>> create mode 100644 config/rootfiles/common/rust-icu_normalizer_data
>> create mode 100644 config/rootfiles/common/rust-icu_properties
>> create mode 100644 config/rootfiles/common/rust-icu_properties_data
>> create mode 100644 config/rootfiles/common/rust-icu_provider
>> create mode 100644 config/rootfiles/common/rust-id-arena
>> create mode 100644 config/rootfiles/common/rust-idna
>> create mode 100644 config/rootfiles/common/rust-idna_adapter
>> create mode 100644 config/rootfiles/common/rust-is_terminal_polyfill
>> create mode 100644 config/rootfiles/common/rust-leb128fmt
>> create mode 100644 config/rootfiles/common/rust-libc-0.2.108
>> create mode 100644 config/rootfiles/common/rust-linux-raw-sys
>> create mode 100644 config/rootfiles/common/rust-litemap
>> create mode 100644 config/rootfiles/common/rust-log-0.4.14
>> create mode 100644 config/rootfiles/common/rust-miniz_oxide
>> create mode 100644 config/rootfiles/common/rust-once_cell-1.9.0
>> create mode 100644 config/rootfiles/common/rust-once_cell_polyfill
>> create mode 100644 config/rootfiles/common/rust-percent-encoding
>> create mode 100644 config/rootfiles/common/rust-potential_utf
>> create mode 100644 config/rootfiles/common/rust-prettyplease
>> create mode 100644 config/rootfiles/common/rust-r-efi
>> create mode 100644 config/rootfiles/common/rust-rustix
>> create mode 100644 config/rootfiles/common/rust-semver-0.9.0
>> create mode 100644 config/rootfiles/common/rust-semver-parser-0.7.0
>> create mode 100644 config/rootfiles/common/rust-serde-1.0.216
>> create mode 100644 config/rootfiles/common/rust-serde_core
>> create mode 100644 config/rootfiles/common/rust-serde_derive-1.0.216
>> create mode 100644 config/rootfiles/common/rust-simd-adler32
>> create mode 100644 config/rootfiles/common/rust-smallvec-1.8.0
>> create mode 100644 config/rootfiles/common/rust-spdx
>> create mode 100644 config/rootfiles/common/rust-strsim
>> create mode 100644 config/rootfiles/common/rust-syn-2.0.90
>> create mode 100644 config/rootfiles/common/rust-tempfile
>> create mode 100644 config/rootfiles/common/rust-tinystr
>> create mode 100644 config/rootfiles/common/rust-topological-sort
>> create mode 100644 config/rootfiles/common/rust-unicode-xid-0.2.1
>> create mode 100644 config/rootfiles/common/rust-url
>> create mode 100644 config/rootfiles/common/rust-utf16_iter
>> create mode 100644 config/rootfiles/common/rust-utf8_iter
>> create mode 100644 config/rootfiles/common/rust-utf8parse
>> create mode 100644 config/rootfiles/common/rust-wasip2
>> create mode 100644 config/rootfiles/common/rust-wasm-encoder
>> create mode 100644 config/rootfiles/common/rust-wasm-metadata
>> create mode 100644 config/rootfiles/common/rust-wasmparser
>> create mode 100644 config/rootfiles/common/rust-windows-link
>> create mode 100644 config/rootfiles/common/rust-windows-sys
>> create mode 100644 config/rootfiles/common/rust-wit-bindgen
>> create mode 100644 config/rootfiles/common/rust-wit-bindgen-core
>> create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust
>> create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust-macro
>> create mode 100644 config/rootfiles/common/rust-wit-component
>> create mode 100644 config/rootfiles/common/rust-wit-parser
>> create mode 100644 config/rootfiles/common/rust-write16
>> create mode 100644 config/rootfiles/common/rust-writeable
>> create mode 100644 config/rootfiles/common/rust-yoke
>> create mode 100644 config/rootfiles/common/rust-yoke-derive
>> create mode 100644 config/rootfiles/common/rust-zerofrom
>> create mode 100644 config/rootfiles/common/rust-zerofrom-derive
>> create mode 100644 config/rootfiles/common/rust-zerotrie
>> create mode 100644 config/rootfiles/common/rust-zerovec
>> create mode 100644 config/rootfiles/common/rust-zerovec-derive
>> create mode 100644 lfs/cbindgen
>> create mode 100644 lfs/rust-adler2
>> create mode 100644 lfs/rust-anstream
>> create mode 100644 lfs/rust-anstyle
>> create mode 100644 lfs/rust-anstyle-parse
>> create mode 100644 lfs/rust-anstyle-query
>> create mode 100644 lfs/rust-anstyle-wincon
>> create mode 100644 lfs/rust-anyhow
>> create mode 100644 lfs/rust-auditable-serde
>> create mode 100644 lfs/rust-bitflags
>> create mode 100644 lfs/rust-clap
>> create mode 100644 lfs/rust-clap_builder
>> create mode 100644 lfs/rust-clap_lex
>> create mode 100644 lfs/rust-colorchoice
>> create mode 100644 lfs/rust-crc32fast
>> create mode 100644 lfs/rust-displaydoc
>> create mode 100644 lfs/rust-errno
>> create mode 100644 lfs/rust-fastrand
>> create mode 100644 lfs/rust-flate2
>> create mode 100644 lfs/rust-form_urlencoded
>> create mode 100644 lfs/rust-getrandom-0.2.4
>> create mode 100644 lfs/rust-heck
>> create mode 100644 lfs/rust-humantime
>> create mode 100644 lfs/rust-icu_collections
>> create mode 100644 lfs/rust-icu_locale_core
>> create mode 100644 lfs/rust-icu_normalizer
>> create mode 100644 lfs/rust-icu_normalizer_data
>> create mode 100644 lfs/rust-icu_properties
>> create mode 100644 lfs/rust-icu_properties_data
>> create mode 100644 lfs/rust-icu_provider
>> create mode 100644 lfs/rust-id-arena
>> create mode 100644 lfs/rust-idna
>> create mode 100644 lfs/rust-idna_adapter
>> create mode 100644 lfs/rust-is_terminal_polyfill
>> create mode 100644 lfs/rust-leb128fmt
>> create mode 100644 lfs/rust-libc-0.2.108
>> create mode 100644 lfs/rust-linux-raw-sys
>> create mode 100644 lfs/rust-litemap
>> create mode 100644 lfs/rust-log-0.4.14
>> create mode 100644 lfs/rust-miniz_oxide
>> create mode 100644 lfs/rust-once_cell-1.9.0
>> create mode 100644 lfs/rust-once_cell_polyfill
>> create mode 100644 lfs/rust-percent-encoding
>> create mode 100644 lfs/rust-potential_utf
>> create mode 100644 lfs/rust-prettyplease
>> create mode 100644 lfs/rust-r-efi
>> create mode 100644 lfs/rust-rustix
>> create mode 100644 lfs/rust-semver-0.9.0
>> create mode 100644 lfs/rust-semver-parser-0.7.0
>> create mode 100644 lfs/rust-serde-1.0.216
>> create mode 100644 lfs/rust-serde_core
>> create mode 100644 lfs/rust-serde_derive-1.0.216
>> create mode 100644 lfs/rust-simd-adler32
>> create mode 100644 lfs/rust-smallvec-1.8.0
>> create mode 100644 lfs/rust-spdx
>> create mode 100644 lfs/rust-strsim
>> create mode 100644 lfs/rust-syn-2.0.90
>> create mode 100644 lfs/rust-tempfile
>> create mode 100644 lfs/rust-tinystr
>> create mode 100644 lfs/rust-topological-sort
>> create mode 100644 lfs/rust-unicode-xid-0.2.1
>> create mode 100644 lfs/rust-url
>> create mode 100644 lfs/rust-utf16_iter
>> create mode 100644 lfs/rust-utf8_iter
>> create mode 100644 lfs/rust-utf8parse
>> create mode 100644 lfs/rust-wasip2
>> create mode 100644 lfs/rust-wasm-encoder
>> create mode 100644 lfs/rust-wasm-metadata
>> create mode 100644 lfs/rust-wasmparser
>> create mode 100644 lfs/rust-windows-link
>> create mode 100644 lfs/rust-windows-sys
>> create mode 100644 lfs/rust-wit-bindgen
>> create mode 100644 lfs/rust-wit-bindgen-core
>> create mode 100644 lfs/rust-wit-bindgen-rust
>> create mode 100644 lfs/rust-wit-bindgen-rust-macro
>> create mode 100644 lfs/rust-wit-component
>> create mode 100644 lfs/rust-wit-parser
>> create mode 100644 lfs/rust-write16
>> create mode 100644 lfs/rust-writeable
>> create mode 100644 lfs/rust-yoke
>> create mode 100644 lfs/rust-yoke-derive
>> create mode 100644 lfs/rust-zerofrom
>> create mode 100644 lfs/rust-zerofrom-derive
>> create mode 100644 lfs/rust-zerotrie
>> create mode 100644 lfs/rust-zerovec
>> create mode 100644 lfs/rust-zerovec-derive
>> create mode 100644 src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
>>
>> --
>> 2.47.3
>>
>>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 0/3] suricata: Add ability to purge the sgh cache
2026-01-23 10:33 ` Adolf Belka
@ 2026-01-23 10:43 ` Michael Tremer
0 siblings, 0 replies; 17+ messages in thread
From: Michael Tremer @ 2026-01-23 10:43 UTC (permalink / raw)
To: Adolf Belka; +Cc: Stefan Schantl, IPFire: Development-List
Hello Adolf,
> On 23 Jan 2026, at 10:33, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> Hi Michael,
>
> On 23/01/2026 11:09, Michael Tremer wrote:
>> Hello Stefan,
>> Thank you for this patch.
>> It baffles me that some functionality that could be implemented in a single find command is pulling in just under one hundred more Rust crates. Shipping crates that even have the word “Windows” in their name is beyond me since we are a Linux distribution.
>
> This is happening because we are building the rust crates in offline mode and so it is up to us to figure out which OS we should be supporting.
>
> So you have to patch the Cargo.toml file in the rust module tarball to disable or remove any entries related to windows or wasm or any other OS that is not linux and where building the module tries to bring additional modules not related to Linux.
> This is something I have had to do with every Rust update and also with all my attempts with the Python update that also ends up needing updated and many additional rust modules.
Stefan might have to confirm this, but I suppose it is much easier to use the scripts that we have to add another Rust crate instead of manually patching the Cargo.toml files.
> The good thing is that a lot of what Stefan has built here, except for the windows crates, are also required for the python update.
I urged him to contact you first, but I assume he has been so in the zone that he just wanted to get it done with.
> On that point I will send out a separate email regarding my status and position.
I will keep an eye out for this!
-Michael
>> I understand that we have no other choice in this instance and that we will need these things anyways for any future versions of Suricata.
>> To state this once more, this is something that seems absolutely unmaintainable to me. The pure quantity of the code that is being added is completely unauditable, well… you all know how I am feeling about this.
>> I will merge this now and then we will have to have a little conversation about the state of Rust in IPFire.
>
> That would be a good topic to discuss.
>
> Regards,
>
> Adolf.
>
>
>> Best,
>> -Michael
>>> On 23 Jan 2026, at 05:26, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>>
>>> Good morning list followers,
>>>
>>> I've recently finished building and testing the patched suricata version
>>> on my productive system.
>>>
>>> When starting the patched suricata or doing a reload operation, all the
>>> sgh cache files which are older than 7 days have been removed
>>> successfully.
>>>
>>> So for me this changes can be shipped to a bigger group of testers.
>>>
>>> Best regards,
>>>
>>> -Stefan
>>>
>>> Stefan Schantl (3):
>>> suricata: Add upstream patch to purge sgh-mpm-caches
>>> rust: Update to 1.92.0
>>> cbindgen: New package
>>>
>>> config/rootfiles/common/aarch64/rust | 130 +-
>>> config/rootfiles/common/cbindgen | 1 +
>>> config/rootfiles/common/riscv64/rust | 109 +-
>>> config/rootfiles/common/rust-adler2 | 15 +
>>> config/rootfiles/common/rust-anstream | 22 +
>>> config/rootfiles/common/rust-anstyle | 15 +
>>> config/rootfiles/common/rust-anstyle-parse | 16 +
>>> config/rootfiles/common/rust-anstyle-query | 11 +
>>> config/rootfiles/common/rust-anstyle-wincon | 14 +
>>> config/rootfiles/common/rust-anyhow | 56 +
>>> config/rootfiles/common/rust-auditable-serde | 9 +
>>> config/rootfiles/common/rust-bitflags | 63 +
>>> config/rootfiles/common/rust-clap | 154 ++
>>> config/rootfiles/common/rust-clap_builder | 71 +
>>> config/rootfiles/common/rust-clap_lex | 9 +
>>> config/rootfiles/common/rust-colorchoice | 8 +
>>> config/rootfiles/common/rust-crc32fast | 19 +
>>> config/rootfiles/common/rust-displaydoc | 42 +
>>> config/rootfiles/common/rust-errno | 16 +
>>> config/rootfiles/common/rust-fastrand | 16 +
>>> config/rootfiles/common/rust-flate2 | 71 +
>>> config/rootfiles/common/rust-form_urlencoded | 8 +
>>> config/rootfiles/common/rust-getrandom | 85 +-
>>> config/rootfiles/common/rust-getrandom-0.2.4 | 38 +
>>> config/rootfiles/common/rust-heck | 17 +
>>> config/rootfiles/common/rust-humantime | 16 +
>>> config/rootfiles/common/rust-icu_collections | 85 ++
>>> config/rootfiles/common/rust-icu_locale_core | 105 ++
>>> config/rootfiles/common/rust-icu_normalizer | 42 +
>>> .../rootfiles/common/rust-icu_normalizer_data | 17 +
>>> config/rootfiles/common/rust-icu_properties | 19 +
>>> .../rootfiles/common/rust-icu_properties_data | 139 ++
>>> config/rootfiles/common/rust-icu_provider | 29 +
>>> config/rootfiles/common/rust-id-arena | 14 +
>>> config/rootfiles/common/rust-idna | 24 +
>>> config/rootfiles/common/rust-idna_adapter | 9 +
>>> .../common/rust-is_terminal_polyfill | 8 +
>>> config/rootfiles/common/rust-leb128fmt | 9 +
>>> config/rootfiles/common/rust-libc | 801 ++++++----
>>> config/rootfiles/common/rust-libc-0.2.108 | 277 ++++
>>> config/rootfiles/common/rust-linux-raw-sys | 410 +++++
>>> config/rootfiles/common/rust-litemap | 27 +
>>> config/rootfiles/common/rust-log | 47 +-
>>> config/rootfiles/common/rust-log-0.4.14 | 22 +
>>> config/rootfiles/common/rust-miniz_oxide | 24 +
>>> config/rootfiles/common/rust-once_cell | 55 +-
>>> config/rootfiles/common/rust-once_cell-1.9.0 | 24 +
>>> .../rootfiles/common/rust-once_cell_polyfill | 10 +
>>> config/rootfiles/common/rust-percent-encoding | 9 +
>>> config/rootfiles/common/rust-potential_utf | 10 +
>>> config/rootfiles/common/rust-prettyplease | 39 +
>>> config/rootfiles/common/rust-r-efi | 71 +
>>> config/rootfiles/common/rust-rustix | 403 +++++
>>> config/rootfiles/common/rust-semver | 42 +-
>>> config/rootfiles/common/rust-semver-0.9.0 | 15 +
>>> config/rootfiles/common/rust-semver-parser | 33 +-
>>> .../rootfiles/common/rust-semver-parser-0.7.0 | 12 +
>>> config/rootfiles/common/rust-serde | 71 +-
>>> config/rootfiles/common/rust-serde-1.0.216 | 32 +
>>> config/rootfiles/common/rust-serde_core | 31 +
>>> config/rootfiles/common/rust-serde_derive | 67 +-
>>> .../common/rust-serde_derive-1.0.216 | 28 +
>>> config/rootfiles/common/rust-simd-adler32 | 19 +
>>> config/rootfiles/common/rust-smallvec | 40 +-
>>> config/rootfiles/common/rust-smallvec-1.8.0 | 18 +
>>> config/rootfiles/common/rust-spdx | 605 ++++++++
>>> .../rootfiles/common/rust-stable_deref_trait | 18 +-
>>> config/rootfiles/common/rust-strsim | 14 +
>>> config/rootfiles/common/rust-syn | 225 +--
>>> config/rootfiles/common/rust-syn-2.0.90 | 111 ++
>>> config/rootfiles/common/rust-synstructure | 16 +-
>>> config/rootfiles/common/rust-tempfile | 32 +
>>> config/rootfiles/common/rust-tinystr | 25 +
>>> config/rootfiles/common/rust-topological-sort | 9 +
>>> config/rootfiles/common/rust-unicode-xid | 30 +-
>>> .../rootfiles/common/rust-unicode-xid-0.2.1 | 14 +
>>> config/rootfiles/common/rust-url | 20 +
>>> config/rootfiles/common/rust-utf16_iter | 12 +
>>> config/rootfiles/common/rust-utf8_iter | 12 +
>>> config/rootfiles/common/rust-utf8parse | 12 +
>>> config/rootfiles/common/rust-wasip2 | 30 +
>>> config/rootfiles/common/rust-wasm-encoder | 45 +
>>> config/rootfiles/common/rust-wasm-metadata | 31 +
>>> config/rootfiles/common/rust-wasmparser | 79 +
>>> config/rootfiles/common/rust-windows-link | 9 +
>>> config/rootfiles/common/rust-windows-sys | 505 +++++++
>>> config/rootfiles/common/rust-wit-bindgen | 42 +
>>> config/rootfiles/common/rust-wit-bindgen-core | 15 +
>>> config/rootfiles/common/rust-wit-bindgen-rust | 21 +
>>> .../common/rust-wit-bindgen-rust-macro | 10 +
>>> config/rootfiles/common/rust-wit-component | 1006 +++++++++++++
>>> config/rootfiles/common/rust-wit-parser | 621 ++++++++
>>> config/rootfiles/common/rust-write16 | 10 +
>>> config/rootfiles/common/rust-writeable | 23 +
>>> config/rootfiles/common/rust-yoke | 18 +
>>> config/rootfiles/common/rust-yoke-derive | 11 +
>>> config/rootfiles/common/rust-zerofrom | 9 +
>>> config/rootfiles/common/rust-zerofrom-derive | 11 +
>>> config/rootfiles/common/rust-zerotrie | 44 +
>>> config/rootfiles/common/rust-zerovec | 69 +
>>> config/rootfiles/common/rust-zerovec-derive | 17 +
>>> config/rootfiles/common/x86_64/rust | 82 +-
>>> config/suricata/suricata.yaml | 1 +
>>> lfs/cbindgen | 80 +
>>> lfs/rust | 13 +-
>>> lfs/rust-adler2 | 81 +
>>> lfs/rust-anstream | 81 +
>>> lfs/rust-anstyle | 81 +
>>> lfs/rust-anstyle-parse | 81 +
>>> lfs/rust-anstyle-query | 81 +
>>> lfs/rust-anstyle-wincon | 81 +
>>> lfs/rust-anyhow | 81 +
>>> lfs/rust-auditable-serde | 81 +
>>> lfs/rust-bitflags | 81 +
>>> lfs/rust-clap | 81 +
>>> lfs/rust-clap_builder | 81 +
>>> lfs/rust-clap_lex | 81 +
>>> lfs/rust-colorchoice | 81 +
>>> lfs/rust-crc32fast | 81 +
>>> lfs/rust-displaydoc | 81 +
>>> lfs/rust-errno | 81 +
>>> lfs/rust-fastrand | 81 +
>>> lfs/rust-flate2 | 81 +
>>> lfs/rust-form_urlencoded | 81 +
>>> lfs/rust-getrandom | 8 +-
>>> lfs/rust-getrandom-0.2.4 | 81 +
>>> lfs/rust-heck | 81 +
>>> lfs/rust-humantime | 81 +
>>> lfs/rust-icu_collections | 81 +
>>> lfs/rust-icu_locale_core | 81 +
>>> lfs/rust-icu_normalizer | 81 +
>>> lfs/rust-icu_normalizer_data | 81 +
>>> lfs/rust-icu_properties | 81 +
>>> lfs/rust-icu_properties_data | 81 +
>>> lfs/rust-icu_provider | 81 +
>>> lfs/rust-id-arena | 81 +
>>> lfs/rust-idna | 81 +
>>> lfs/rust-idna_adapter | 81 +
>>> lfs/rust-is_terminal_polyfill | 81 +
>>> lfs/rust-leb128fmt | 81 +
>>> lfs/rust-libc | 7 +-
>>> lfs/rust-libc-0.2.108 | 80 +
>>> lfs/rust-linux-raw-sys | 81 +
>>> lfs/rust-litemap | 81 +
>>> lfs/rust-log | 12 +-
>>> lfs/rust-log-0.4.14 | 85 ++
>>> lfs/rust-miniz_oxide | 81 +
>>> lfs/rust-once_cell | 12 +-
>>> lfs/rust-once_cell-1.9.0 | 85 ++
>>> lfs/rust-once_cell_polyfill | 81 +
>>> lfs/rust-percent-encoding | 81 +
>>> lfs/rust-potential_utf | 81 +
>>> lfs/rust-prettyplease | 81 +
>>> lfs/rust-r-efi | 81 +
>>> lfs/rust-rustix | 81 +
>>> lfs/rust-semver | 12 +-
>>> lfs/rust-semver-0.9.0 | 85 ++
>>> lfs/rust-semver-parser | 7 +-
>>> lfs/rust-semver-parser-0.7.0 | 80 +
>>> lfs/rust-serde | 4 +-
>>> lfs/rust-serde-1.0.216 | 81 +
>>> lfs/rust-serde_core | 81 +
>>> lfs/rust-serde_derive | 4 +-
>>> lfs/rust-serde_derive-1.0.216 | 81 +
>>> lfs/rust-simd-adler32 | 81 +
>>> lfs/rust-smallvec | 12 +-
>>> lfs/rust-smallvec-1.8.0 | 85 ++
>>> lfs/rust-spdx | 81 +
>>> lfs/rust-stable_deref_trait | 12 +-
>>> lfs/rust-strsim | 81 +
>>> lfs/rust-syn | 4 +-
>>> lfs/rust-syn-2.0.90 | 81 +
>>> lfs/rust-synstructure | 4 +-
>>> lfs/rust-tempfile | 81 +
>>> lfs/rust-tinystr | 81 +
>>> lfs/rust-topological-sort | 81 +
>>> lfs/rust-unicode-xid | 7 +-
>>> lfs/rust-unicode-xid-0.2.1 | 80 +
>>> lfs/rust-url | 81 +
>>> lfs/rust-utf16_iter | 81 +
>>> lfs/rust-utf8_iter | 81 +
>>> lfs/rust-utf8parse | 81 +
>>> lfs/rust-wasip2 | 81 +
>>> lfs/rust-wasm-encoder | 81 +
>>> lfs/rust-wasm-metadata | 81 +
>>> lfs/rust-wasmparser | 81 +
>>> lfs/rust-windows-link | 81 +
>>> lfs/rust-windows-sys | 81 +
>>> lfs/rust-wit-bindgen | 81 +
>>> lfs/rust-wit-bindgen-core | 81 +
>>> lfs/rust-wit-bindgen-rust | 81 +
>>> lfs/rust-wit-bindgen-rust-macro | 81 +
>>> lfs/rust-wit-component | 81 +
>>> lfs/rust-wit-parser | 81 +
>>> lfs/rust-write16 | 81 +
>>> lfs/rust-writeable | 81 +
>>> lfs/rust-yoke | 81 +
>>> lfs/rust-yoke-derive | 81 +
>>> lfs/rust-zerofrom | 81 +
>>> lfs/rust-zerofrom-derive | 81 +
>>> lfs/rust-zerotrie | 81 +
>>> lfs/rust-zerovec | 81 +
>>> lfs/rust-zerovec-derive | 81 +
>>> lfs/suricata | 13 +-
>>> make.sh | 133 +-
>>> ...suricata-8.0.3-purge-hyperscan-cache.patch | 1341 +++++++++++++++++
>>> 206 files changed, 15762 insertions(+), 853 deletions(-)
>>> create mode 100644 config/rootfiles/common/cbindgen
>>> create mode 100644 config/rootfiles/common/rust-adler2
>>> create mode 100644 config/rootfiles/common/rust-anstream
>>> create mode 100644 config/rootfiles/common/rust-anstyle
>>> create mode 100644 config/rootfiles/common/rust-anstyle-parse
>>> create mode 100644 config/rootfiles/common/rust-anstyle-query
>>> create mode 100644 config/rootfiles/common/rust-anstyle-wincon
>>> create mode 100644 config/rootfiles/common/rust-anyhow
>>> create mode 100644 config/rootfiles/common/rust-auditable-serde
>>> create mode 100644 config/rootfiles/common/rust-bitflags
>>> create mode 100644 config/rootfiles/common/rust-clap
>>> create mode 100644 config/rootfiles/common/rust-clap_builder
>>> create mode 100644 config/rootfiles/common/rust-clap_lex
>>> create mode 100644 config/rootfiles/common/rust-colorchoice
>>> create mode 100644 config/rootfiles/common/rust-crc32fast
>>> create mode 100644 config/rootfiles/common/rust-displaydoc
>>> create mode 100644 config/rootfiles/common/rust-errno
>>> create mode 100644 config/rootfiles/common/rust-fastrand
>>> create mode 100644 config/rootfiles/common/rust-flate2
>>> create mode 100644 config/rootfiles/common/rust-form_urlencoded
>>> create mode 100644 config/rootfiles/common/rust-getrandom-0.2.4
>>> create mode 100644 config/rootfiles/common/rust-heck
>>> create mode 100644 config/rootfiles/common/rust-humantime
>>> create mode 100644 config/rootfiles/common/rust-icu_collections
>>> create mode 100644 config/rootfiles/common/rust-icu_locale_core
>>> create mode 100644 config/rootfiles/common/rust-icu_normalizer
>>> create mode 100644 config/rootfiles/common/rust-icu_normalizer_data
>>> create mode 100644 config/rootfiles/common/rust-icu_properties
>>> create mode 100644 config/rootfiles/common/rust-icu_properties_data
>>> create mode 100644 config/rootfiles/common/rust-icu_provider
>>> create mode 100644 config/rootfiles/common/rust-id-arena
>>> create mode 100644 config/rootfiles/common/rust-idna
>>> create mode 100644 config/rootfiles/common/rust-idna_adapter
>>> create mode 100644 config/rootfiles/common/rust-is_terminal_polyfill
>>> create mode 100644 config/rootfiles/common/rust-leb128fmt
>>> create mode 100644 config/rootfiles/common/rust-libc-0.2.108
>>> create mode 100644 config/rootfiles/common/rust-linux-raw-sys
>>> create mode 100644 config/rootfiles/common/rust-litemap
>>> create mode 100644 config/rootfiles/common/rust-log-0.4.14
>>> create mode 100644 config/rootfiles/common/rust-miniz_oxide
>>> create mode 100644 config/rootfiles/common/rust-once_cell-1.9.0
>>> create mode 100644 config/rootfiles/common/rust-once_cell_polyfill
>>> create mode 100644 config/rootfiles/common/rust-percent-encoding
>>> create mode 100644 config/rootfiles/common/rust-potential_utf
>>> create mode 100644 config/rootfiles/common/rust-prettyplease
>>> create mode 100644 config/rootfiles/common/rust-r-efi
>>> create mode 100644 config/rootfiles/common/rust-rustix
>>> create mode 100644 config/rootfiles/common/rust-semver-0.9.0
>>> create mode 100644 config/rootfiles/common/rust-semver-parser-0.7.0
>>> create mode 100644 config/rootfiles/common/rust-serde-1.0.216
>>> create mode 100644 config/rootfiles/common/rust-serde_core
>>> create mode 100644 config/rootfiles/common/rust-serde_derive-1.0.216
>>> create mode 100644 config/rootfiles/common/rust-simd-adler32
>>> create mode 100644 config/rootfiles/common/rust-smallvec-1.8.0
>>> create mode 100644 config/rootfiles/common/rust-spdx
>>> create mode 100644 config/rootfiles/common/rust-strsim
>>> create mode 100644 config/rootfiles/common/rust-syn-2.0.90
>>> create mode 100644 config/rootfiles/common/rust-tempfile
>>> create mode 100644 config/rootfiles/common/rust-tinystr
>>> create mode 100644 config/rootfiles/common/rust-topological-sort
>>> create mode 100644 config/rootfiles/common/rust-unicode-xid-0.2.1
>>> create mode 100644 config/rootfiles/common/rust-url
>>> create mode 100644 config/rootfiles/common/rust-utf16_iter
>>> create mode 100644 config/rootfiles/common/rust-utf8_iter
>>> create mode 100644 config/rootfiles/common/rust-utf8parse
>>> create mode 100644 config/rootfiles/common/rust-wasip2
>>> create mode 100644 config/rootfiles/common/rust-wasm-encoder
>>> create mode 100644 config/rootfiles/common/rust-wasm-metadata
>>> create mode 100644 config/rootfiles/common/rust-wasmparser
>>> create mode 100644 config/rootfiles/common/rust-windows-link
>>> create mode 100644 config/rootfiles/common/rust-windows-sys
>>> create mode 100644 config/rootfiles/common/rust-wit-bindgen
>>> create mode 100644 config/rootfiles/common/rust-wit-bindgen-core
>>> create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust
>>> create mode 100644 config/rootfiles/common/rust-wit-bindgen-rust-macro
>>> create mode 100644 config/rootfiles/common/rust-wit-component
>>> create mode 100644 config/rootfiles/common/rust-wit-parser
>>> create mode 100644 config/rootfiles/common/rust-write16
>>> create mode 100644 config/rootfiles/common/rust-writeable
>>> create mode 100644 config/rootfiles/common/rust-yoke
>>> create mode 100644 config/rootfiles/common/rust-yoke-derive
>>> create mode 100644 config/rootfiles/common/rust-zerofrom
>>> create mode 100644 config/rootfiles/common/rust-zerofrom-derive
>>> create mode 100644 config/rootfiles/common/rust-zerotrie
>>> create mode 100644 config/rootfiles/common/rust-zerovec
>>> create mode 100644 config/rootfiles/common/rust-zerovec-derive
>>> create mode 100644 lfs/cbindgen
>>> create mode 100644 lfs/rust-adler2
>>> create mode 100644 lfs/rust-anstream
>>> create mode 100644 lfs/rust-anstyle
>>> create mode 100644 lfs/rust-anstyle-parse
>>> create mode 100644 lfs/rust-anstyle-query
>>> create mode 100644 lfs/rust-anstyle-wincon
>>> create mode 100644 lfs/rust-anyhow
>>> create mode 100644 lfs/rust-auditable-serde
>>> create mode 100644 lfs/rust-bitflags
>>> create mode 100644 lfs/rust-clap
>>> create mode 100644 lfs/rust-clap_builder
>>> create mode 100644 lfs/rust-clap_lex
>>> create mode 100644 lfs/rust-colorchoice
>>> create mode 100644 lfs/rust-crc32fast
>>> create mode 100644 lfs/rust-displaydoc
>>> create mode 100644 lfs/rust-errno
>>> create mode 100644 lfs/rust-fastrand
>>> create mode 100644 lfs/rust-flate2
>>> create mode 100644 lfs/rust-form_urlencoded
>>> create mode 100644 lfs/rust-getrandom-0.2.4
>>> create mode 100644 lfs/rust-heck
>>> create mode 100644 lfs/rust-humantime
>>> create mode 100644 lfs/rust-icu_collections
>>> create mode 100644 lfs/rust-icu_locale_core
>>> create mode 100644 lfs/rust-icu_normalizer
>>> create mode 100644 lfs/rust-icu_normalizer_data
>>> create mode 100644 lfs/rust-icu_properties
>>> create mode 100644 lfs/rust-icu_properties_data
>>> create mode 100644 lfs/rust-icu_provider
>>> create mode 100644 lfs/rust-id-arena
>>> create mode 100644 lfs/rust-idna
>>> create mode 100644 lfs/rust-idna_adapter
>>> create mode 100644 lfs/rust-is_terminal_polyfill
>>> create mode 100644 lfs/rust-leb128fmt
>>> create mode 100644 lfs/rust-libc-0.2.108
>>> create mode 100644 lfs/rust-linux-raw-sys
>>> create mode 100644 lfs/rust-litemap
>>> create mode 100644 lfs/rust-log-0.4.14
>>> create mode 100644 lfs/rust-miniz_oxide
>>> create mode 100644 lfs/rust-once_cell-1.9.0
>>> create mode 100644 lfs/rust-once_cell_polyfill
>>> create mode 100644 lfs/rust-percent-encoding
>>> create mode 100644 lfs/rust-potential_utf
>>> create mode 100644 lfs/rust-prettyplease
>>> create mode 100644 lfs/rust-r-efi
>>> create mode 100644 lfs/rust-rustix
>>> create mode 100644 lfs/rust-semver-0.9.0
>>> create mode 100644 lfs/rust-semver-parser-0.7.0
>>> create mode 100644 lfs/rust-serde-1.0.216
>>> create mode 100644 lfs/rust-serde_core
>>> create mode 100644 lfs/rust-serde_derive-1.0.216
>>> create mode 100644 lfs/rust-simd-adler32
>>> create mode 100644 lfs/rust-smallvec-1.8.0
>>> create mode 100644 lfs/rust-spdx
>>> create mode 100644 lfs/rust-strsim
>>> create mode 100644 lfs/rust-syn-2.0.90
>>> create mode 100644 lfs/rust-tempfile
>>> create mode 100644 lfs/rust-tinystr
>>> create mode 100644 lfs/rust-topological-sort
>>> create mode 100644 lfs/rust-unicode-xid-0.2.1
>>> create mode 100644 lfs/rust-url
>>> create mode 100644 lfs/rust-utf16_iter
>>> create mode 100644 lfs/rust-utf8_iter
>>> create mode 100644 lfs/rust-utf8parse
>>> create mode 100644 lfs/rust-wasip2
>>> create mode 100644 lfs/rust-wasm-encoder
>>> create mode 100644 lfs/rust-wasm-metadata
>>> create mode 100644 lfs/rust-wasmparser
>>> create mode 100644 lfs/rust-windows-link
>>> create mode 100644 lfs/rust-windows-sys
>>> create mode 100644 lfs/rust-wit-bindgen
>>> create mode 100644 lfs/rust-wit-bindgen-core
>>> create mode 100644 lfs/rust-wit-bindgen-rust
>>> create mode 100644 lfs/rust-wit-bindgen-rust-macro
>>> create mode 100644 lfs/rust-wit-component
>>> create mode 100644 lfs/rust-wit-parser
>>> create mode 100644 lfs/rust-write16
>>> create mode 100644 lfs/rust-writeable
>>> create mode 100644 lfs/rust-yoke
>>> create mode 100644 lfs/rust-yoke-derive
>>> create mode 100644 lfs/rust-zerofrom
>>> create mode 100644 lfs/rust-zerofrom-derive
>>> create mode 100644 lfs/rust-zerotrie
>>> create mode 100644 lfs/rust-zerovec
>>> create mode 100644 lfs/rust-zerovec-derive
>>> create mode 100644 src/patches/suricata/suricata-8.0.3-purge-hyperscan-cache.patch
>>>
>>> --
>>> 2.47.3
>>>
>>>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-23 10:31 ` Updating rust and eco system Michael Tremer
@ 2026-01-23 11:06 ` Adolf Belka
2026-01-25 14:19 ` Michael Tremer
0 siblings, 1 reply; 17+ messages in thread
From: Adolf Belka @ 2026-01-23 11:06 UTC (permalink / raw)
To: Michael Tremer; +Cc: IPFire: Development-List
Hi Michael,
On 23/01/2026 11:31, Michael Tremer wrote:
> Hello Stefan,
> Hello list,
>
> Thank you for looking at this. Of course it is very important that we are able to stay on the latest version of Suricata.
>
> I have merged your monster of a patch so that we can move on for now, but I have a couple of bigger questions that we all should have a look at:
>
> Adolf has in the past spent a lot of time on updating Rust. This is all tapping into Python - or rather python-cryptography - having some Rust code that has further dependencies. In essence, it has been a huge headache to update this. Maybe Adolf even has some other words for this all.
My words on this are that I have now tried multiple times to get a new python update built. Each time I have done it a bit different but the end result has been the same and that is that python-cryptography (which requires rust modules to be built) ends up requiring python-maturin that requires more rust modules but at the end of this the python-cryptography fails to find the built rust modules.
I have been stuck at this last point so many times that I have realised that I am finding lots of reasons not to go and work on the python update.
That is not a good position and also python has now moved from 3.13 to 3.14 so things are moving away from me.
I have come to the conclusion that someone else, more capable than me needs to have a go at the python update, so I am giving up on it but will continue working on other things.
>
> Just building cbindgen has required a further ~98 Rust crates to be packaged. Often we have the same crate in different versions because other crates have pinned a specific version. In total, we currently have ~790 packages in IPFire. Out of those, there are 202 packages in the rust-* namespace. That is pretty much a quarter of the distribution. Although not a lot in size, this is a considerable maintenance burden.
>
> ClamAV and Suricata have (recently?) started to bundle all their Rust dependencies with their release tarballs. Although this is not a good thing for many other reasons, it will move the onus onto the upstream projects to provide whatever they need. If their dependencies (and the dependencies of their dependencies) explode, this is not really our problem any more as well as any supply chain problems. Great - within reason.
>
> That leaves us with only very few packages that would actually require any external Rust crates (Suricata is even configured to *exclusively* use their bundled crates): cbindgen as a new thing, python-cryptography, anything else? We might actually only need a fraction of the Rust crates that we currently have as the only packages that may actually tap into our locally built repository are only those two.
Unfortunately there is the addon oci-python-sdk that uses python-cryptography.
>
> Is anyone happy to give this all a try and cleanup any old Rust deps? That way, I hope we will have a much smoother ride moving forward with a Python update.
I can take the current status, before Stefan's patches, and see how many existing rust modules can be removed. Anything that can be removed is a step forward.
I think a problem moving forward is that more python modules are ending up being a combination of python and rust as the cryptography and maturin modules have already done. I have also seen a lot of rust modules covering the same stuff as covered by python modules. So the future I think looks like it will continue to be very frustrating.
Regards,
Adolf.
>
> All the best,
> -Michael
>
>> On 22 Jan 2026, at 17:38, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>
>> Hello list followers,
>>
>> I'm currently updating rust and affected modules.
>>
>> This happends mainly because I'm trying to fix the "suricata cache
>> grows infinite" problem, which a lot of people are affected.
>>
>> To archive this, I ported the patches from suricata main development
>> branch to our used suricata version (8.0.3).
>>
>> To perform a full build, a new tool called cbindgen - which is a rust
>> to c bindings generator, is required.
>>
>> Sadly this tool is also written in rust and requires some new
>> dependencies and a more up to date rust compiler.
>>
>> I hope to send a patchset for all this very soon to the mailing list.
>>
>> Best regards,
>>
>> -Stefan
>>
>>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-23 11:06 ` Adolf Belka
@ 2026-01-25 14:19 ` Michael Tremer
2026-01-25 17:46 ` Stefan Schantl
[not found] ` <a7484943d784c0a6e2088b2354f08bfbf42658b2.camel@gmx.at>
0 siblings, 2 replies; 17+ messages in thread
From: Michael Tremer @ 2026-01-25 14:19 UTC (permalink / raw)
To: Adolf Belka; +Cc: IPFire: Development-List
Hello Adolf,
> On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> Hi Michael,
>
> On 23/01/2026 11:31, Michael Tremer wrote:
>> Hello Stefan,
>> Hello list,
>> Thank you for looking at this. Of course it is very important that we are able to stay on the latest version of Suricata.
>> I have merged your monster of a patch so that we can move on for now, but I have a couple of bigger questions that we all should have a look at:
>> Adolf has in the past spent a lot of time on updating Rust. This is all tapping into Python - or rather python-cryptography - having some Rust code that has further dependencies. In essence, it has been a huge headache to update this. Maybe Adolf even has some other words for this all.
>
> My words on this are that I have now tried multiple times to get a new python update built. Each time I have done it a bit different but the end result has been the same and that is that python-cryptography (which requires rust modules to be built) ends up requiring python-maturin that requires more rust modules but at the end of this the python-cryptography fails to find the built rust modules.
>
> I have been stuck at this last point so many times that I have realised that I am finding lots of reasons not to go and work on the python update.
> That is not a good position and also python has now moved from 3.13 to 3.14 so things are moving away from me.
>
> I have come to the conclusion that someone else, more capable than me needs to have a go at the python update, so I am giving up on it but will continue working on other things.
Hmm okay, you sound like you are giving up on this :) I know how many hours (we probably need to measure those in days or even weeks) you have spent on this though.
Let’s pool resources together and finally get this done. Hopefully this will be a smoother ride as a combined effort.
>> Just building cbindgen has required a further ~98 Rust crates to be packaged. Often we have the same crate in different versions because other crates have pinned a specific version. In total, we currently have ~790 packages in IPFire. Out of those, there are 202 packages in the rust-* namespace. That is pretty much a quarter of the distribution. Although not a lot in size, this is a considerable maintenance burden.
>> ClamAV and Suricata have (recently?) started to bundle all their Rust dependencies with their release tarballs. Although this is not a good thing for many other reasons, it will move the onus onto the upstream projects to provide whatever they need. If their dependencies (and the dependencies of their dependencies) explode, this is not really our problem any more as well as any supply chain problems. Great - within reason.
>> That leaves us with only very few packages that would actually require any external Rust crates (Suricata is even configured to *exclusively* use their bundled crates): cbindgen as a new thing, python-cryptography, anything else? We might actually only need a fraction of the Rust crates that we currently have as the only packages that may actually tap into our locally built repository are only those two.
>
> Unfortunately there is the addon oci-python-sdk that uses python-cryptography.
python-cryptography was on my list. oci-python-sdk only uses Rust indirectly through python-cryptography, right?
>> Is anyone happy to give this all a try and cleanup any old Rust deps? That way, I hope we will have a much smoother ride moving forward with a Python update.
>
> I can take the current status, before Stefan's patches, and see how many existing rust modules can be removed. Anything that can be removed is a step forward.
Yes, I think we should try to shrink what we have now if that is possible at all. As most packages are bundling all Rust deps, there should be some we won’t need any more in the system.
Then, we hopefully have much less to update/worry about in any other way when we start touching python-cryptography.
So who is volunteering to do this? Commenting out all Rust packages, then build python-cryptography which will fail as it requires some Rust crates. Those will be there so they will only have to be commented in again. Once the package builds, we should then have a couple of packages still commented that we can drop.
> I think a problem moving forward is that more python modules are ending up being a combination of python and rust as the cryptography and maturin modules have already done. I have also seen a lot of rust modules covering the same stuff as covered by python modules. So the future I think looks like it will continue to be very frustrating.
Yes it does, but we will have to find a way whether we want it or not.
-Michael
> Regards,
>
> Adolf.
>
>
>> All the best,
>> -Michael
>>> On 22 Jan 2026, at 17:38, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>>
>>> Hello list followers,
>>>
>>> I'm currently updating rust and affected modules.
>>>
>>> This happends mainly because I'm trying to fix the "suricata cache
>>> grows infinite" problem, which a lot of people are affected.
>>>
>>> To archive this, I ported the patches from suricata main development
>>> branch to our used suricata version (8.0.3).
>>>
>>> To perform a full build, a new tool called cbindgen - which is a rust
>>> to c bindings generator, is required.
>>>
>>> Sadly this tool is also written in rust and requires some new
>>> dependencies and a more up to date rust compiler.
>>>
>>> I hope to send a patchset for all this very soon to the mailing list.
>>>
>>> Best regards,
>>>
>>> -Stefan
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-25 14:19 ` Michael Tremer
@ 2026-01-25 17:46 ` Stefan Schantl
[not found] ` <a7484943d784c0a6e2088b2354f08bfbf42658b2.camel@gmx.at>
1 sibling, 0 replies; 17+ messages in thread
From: Stefan Schantl @ 2026-01-25 17:46 UTC (permalink / raw)
To: development
Hello Adolf,
Hello Michael,
I would give the rust cleanup a try in the next few days.
Adolf may I can ask you to put your current state of the python update
into a git repositry?
Thanks in advance,
-Stefan
> Hello Adolf,
>
> > On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
> > wrote:
> >
> > Hi Michael,
> >
> > On 23/01/2026 11:31, Michael Tremer wrote:
> > > Hello Stefan,
> > > Hello list,
> > > Thank you for looking at this. Of course it is very important
> > > that we are able to stay on the latest version of Suricata.
> > > I have merged your monster of a patch so that we can move on for
> > > now, but I have a couple of bigger questions that we all should
> > > have a look at:
> > > Adolf has in the past spent a lot of time on updating Rust. This
> > > is all tapping into Python - or rather python-cryptography -
> > > having some Rust code that has further dependencies. In essence,
> > > it has been a huge headache to update this. Maybe Adolf even has
> > > some other words for this all.
> >
> > My words on this are that I have now tried multiple times to get a
> > new python update built. Each time I have done it a bit different
> > but the end result has been the same and that is that python-
> > cryptography (which requires rust modules to be built) ends up
> > requiring python-maturin that requires more rust modules but at the
> > end of this the python-cryptography fails to find the built rust
> > modules.
> >
> > I have been stuck at this last point so many times that I have
> > realised that I am finding lots of reasons not to go and work on
> > the python update.
> > That is not a good position and also python has now moved from 3.13
> > to 3.14 so things are moving away from me.
> >
> > I have come to the conclusion that someone else, more capable than
> > me needs to have a go at the python update, so I am giving up on it
> > but will continue working on other things.
>
> Hmm okay, you sound like you are giving up on this :) I know how many
> hours (we probably need to measure those in days or even weeks) you
> have spent on this though.
>
> Let’s pool resources together and finally get this done. Hopefully
> this will be a smoother ride as a combined effort.
>
> > > Just building cbindgen has required a further ~98 Rust crates to
> > > be packaged. Often we have the same crate in different versions
> > > because other crates have pinned a specific version. In total, we
> > > currently have ~790 packages in IPFire. Out of those, there are
> > > 202 packages in the rust-* namespace. That is pretty much a
> > > quarter of the distribution. Although not a lot in size, this is
> > > a considerable maintenance burden.
> > > ClamAV and Suricata have (recently?) started to bundle all their
> > > Rust dependencies with their release tarballs. Although this is
> > > not a good thing for many other reasons, it will move the onus
> > > onto the upstream projects to provide whatever they need. If
> > > their dependencies (and the dependencies of their dependencies)
> > > explode, this is not really our problem any more as well as any
> > > supply chain problems. Great - within reason.
> > > That leaves us with only very few packages that would actually
> > > require any external Rust crates (Suricata is even configured to
> > > *exclusively* use their bundled crates): cbindgen as a new thing,
> > > python-cryptography, anything else? We might actually only need a
> > > fraction of the Rust crates that we currently have as the only
> > > packages that may actually tap into our locally built repository
> > > are only those two.
> >
> > Unfortunately there is the addon oci-python-sdk that uses python-
> > cryptography.
>
> python-cryptography was on my list. oci-python-sdk only uses Rust
> indirectly through python-cryptography, right?
>
> > > Is anyone happy to give this all a try and cleanup any old Rust
> > > deps? That way, I hope we will have a much smoother ride moving
> > > forward with a Python update.
> >
> > I can take the current status, before Stefan's patches, and see how
> > many existing rust modules can be removed. Anything that can be
> > removed is a step forward.
>
> Yes, I think we should try to shrink what we have now if that is
> possible at all. As most packages are bundling all Rust deps, there
> should be some we won’t need any more in the system.
>
> Then, we hopefully have much less to update/worry about in any other
> way when we start touching python-cryptography.
>
> So who is volunteering to do this? Commenting out all Rust packages,
> then build python-cryptography which will fail as it requires some
> Rust crates. Those will be there so they will only have to be
> commented in again. Once the package builds, we should then have a
> couple of packages still commented that we can drop.
>
> > I think a problem moving forward is that more python modules are
> > ending up being a combination of python and rust as the
> > cryptography and maturin modules have already done. I have also
> > seen a lot of rust modules covering the same stuff as covered by
> > python modules. So the future I think looks like it will continue
> > to be very frustrating.
>
> Yes it does, but we will have to find a way whether we want it or
> not.
>
> -Michael
>
> > Regards,
> >
> > Adolf.
> >
> >
> > > All the best,
> > > -Michael
> > > > On 22 Jan 2026, at 17:38, Stefan Schantl
> > > > <stefan.schantl@ipfire.org> wrote:
> > > >
> > > > Hello list followers,
> > > >
> > > > I'm currently updating rust and affected modules.
> > > >
> > > > This happends mainly because I'm trying to fix the "suricata
> > > > cache
> > > > grows infinite" problem, which a lot of people are affected.
> > > >
> > > > To archive this, I ported the patches from suricata main
> > > > development
> > > > branch to our used suricata version (8.0.3).
> > > >
> > > > To perform a full build, a new tool called cbindgen - which is
> > > > a rust
> > > > to c bindings generator, is required.
> > > >
> > > > Sadly this tool is also written in rust and requires some new
> > > > dependencies and a more up to date rust compiler.
> > > >
> > > > I hope to send a patchset for all this very soon to the mailing
> > > > list.
> > > >
> > > > Best regards,
> > > >
> > > > -Stefan
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
[not found] ` <a7484943d784c0a6e2088b2354f08bfbf42658b2.camel@gmx.at>
@ 2026-01-26 13:54 ` Stefan Schantl
2026-01-26 15:31 ` Stefan Schantl
0 siblings, 1 reply; 17+ messages in thread
From: Stefan Schantl @ 2026-01-26 13:54 UTC (permalink / raw)
To: development
Hello list,
currently I'm working on cleaning up the rust packages.
For these I disabled all rust modules in the make.sh file and perform a
clean build as Michael suggested.
At the moment I'm past the stage where "cbindgen" successfully has been
build and have 103 rust modules (inlcluding there sub-dependencies)
only for this one tool.
An additional rust module is required to build suricata. This is
because of patching the source code the required rust module is not
part of their source tarball.
This currently summs to 104 rust modules for the moment.
I'm looking forward when python-cryptography kicks in its module
whishes....
Best regards,
-Stefan
> Hello Adolf,
> Hello Michael,
>
> I would give the rust cleanup a try in the next few days.
>
> Adolf may I can ask you to put your current state of the python
> update
> into a git repositry?
>
> Thanks in advance,
>
> -Stefan
>
> > Hello Adolf,
> >
> > > On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
> > > wrote:
> > >
> > > Hi Michael,
> > >
> > > On 23/01/2026 11:31, Michael Tremer wrote:
> > > > Hello Stefan,
> > > > Hello list,
> > > > Thank you for looking at this. Of course it is very important
> > > > that we are able to stay on the latest version of Suricata.
> > > > I have merged your monster of a patch so that we can move on
> > > > for
> > > > now, but I have a couple of bigger questions that we all should
> > > > have a look at:
> > > > Adolf has in the past spent a lot of time on updating Rust.
> > > > This
> > > > is all tapping into Python - or rather python-cryptography -
> > > > having some Rust code that has further dependencies. In
> > > > essence,
> > > > it has been a huge headache to update this. Maybe Adolf even
> > > > has
> > > > some other words for this all.
> > >
> > > My words on this are that I have now tried multiple times to get
> > > a
> > > new python update built. Each time I have done it a bit different
> > > but the end result has been the same and that is that python-
> > > cryptography (which requires rust modules to be built) ends up
> > > requiring python-maturin that requires more rust modules but at
> > > the
> > > end of this the python-cryptography fails to find the built rust
> > > modules.
> > >
> > > I have been stuck at this last point so many times that I have
> > > realised that I am finding lots of reasons not to go and work on
> > > the python update.
> > > That is not a good position and also python has now moved from
> > > 3.13
> > > to 3.14 so things are moving away from me.
> > >
> > > I have come to the conclusion that someone else, more capable
> > > than
> > > me needs to have a go at the python update, so I am giving up on
> > > it
> > > but will continue working on other things.
> >
> > Hmm okay, you sound like you are giving up on this :) I know how
> > many
> > hours (we probably need to measure those in days or even weeks) you
> > have spent on this though.
> >
> > Let’s pool resources together and finally get this done. Hopefully
> > this will be a smoother ride as a combined effort.
> >
> > > > Just building cbindgen has required a further ~98 Rust crates
> > > > to
> > > > be packaged. Often we have the same crate in different versions
> > > > because other crates have pinned a specific version. In total,
> > > > we
> > > > currently have ~790 packages in IPFire. Out of those, there are
> > > > 202 packages in the rust-* namespace. That is pretty much a
> > > > quarter of the distribution. Although not a lot in size, this
> > > > is
> > > > a considerable maintenance burden.
> > > > ClamAV and Suricata have (recently?) started to bundle all
> > > > their
> > > > Rust dependencies with their release tarballs. Although this is
> > > > not a good thing for many other reasons, it will move the onus
> > > > onto the upstream projects to provide whatever they need. If
> > > > their dependencies (and the dependencies of their dependencies)
> > > > explode, this is not really our problem any more as well as any
> > > > supply chain problems. Great - within reason.
> > > > That leaves us with only very few packages that would actually
> > > > require any external Rust crates (Suricata is even configured
> > > > to
> > > > *exclusively* use their bundled crates): cbindgen as a new
> > > > thing,
> > > > python-cryptography, anything else? We might actually only need
> > > > a
> > > > fraction of the Rust crates that we currently have as the only
> > > > packages that may actually tap into our locally built
> > > > repository
> > > > are only those two.
> > >
> > > Unfortunately there is the addon oci-python-sdk that uses python-
> > > cryptography.
> >
> > python-cryptography was on my list. oci-python-sdk only uses Rust
> > indirectly through python-cryptography, right?
> >
> > > > Is anyone happy to give this all a try and cleanup any old Rust
> > > > deps? That way, I hope we will have a much smoother ride moving
> > > > forward with a Python update.
> > >
> > > I can take the current status, before Stefan's patches, and see
> > > how
> > > many existing rust modules can be removed. Anything that can be
> > > removed is a step forward.
> >
> > Yes, I think we should try to shrink what we have now if that is
> > possible at all. As most packages are bundling all Rust deps, there
> > should be some we won’t need any more in the system.
> >
> > Then, we hopefully have much less to update/worry about in any
> > other
> > way when we start touching python-cryptography.
> >
> > So who is volunteering to do this? Commenting out all Rust
> > packages,
> > then build python-cryptography which will fail as it requires some
> > Rust crates. Those will be there so they will only have to be
> > commented in again. Once the package builds, we should then have a
> > couple of packages still commented that we can drop.
> >
> > > I think a problem moving forward is that more python modules are
> > > ending up being a combination of python and rust as the
> > > cryptography and maturin modules have already done. I have also
> > > seen a lot of rust modules covering the same stuff as covered by
> > > python modules. So the future I think looks like it will continue
> > > to be very frustrating.
> >
> > Yes it does, but we will have to find a way whether we want it or
> > not.
> >
> > -Michael
> >
> > > Regards,
> > >
> > > Adolf.
> > >
> > >
> > > > All the best,
> > > > -Michael
> > > > > On 22 Jan 2026, at 17:38, Stefan Schantl
> > > > > <stefan.schantl@ipfire.org> wrote:
> > > > >
> > > > > Hello list followers,
> > > > >
> > > > > I'm currently updating rust and affected modules.
> > > > >
> > > > > This happends mainly because I'm trying to fix the "suricata
> > > > > cache
> > > > > grows infinite" problem, which a lot of people are affected.
> > > > >
> > > > > To archive this, I ported the patches from suricata main
> > > > > development
> > > > > branch to our used suricata version (8.0.3).
> > > > >
> > > > > To perform a full build, a new tool called cbindgen - which
> > > > > is
> > > > > a rust
> > > > > to c bindings generator, is required.
> > > > >
> > > > > Sadly this tool is also written in rust and requires some new
> > > > > dependencies and a more up to date rust compiler.
> > > > >
> > > > > I hope to send a patchset for all this very soon to the
> > > > > mailing
> > > > > list.
> > > > >
> > > > > Best regards,
> > > > >
> > > > > -Stefan
> >
> >
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-26 13:54 ` Stefan Schantl
@ 2026-01-26 15:31 ` Stefan Schantl
2026-01-26 17:23 ` Michael Tremer
0 siblings, 1 reply; 17+ messages in thread
From: Stefan Schantl @ 2026-01-26 15:31 UTC (permalink / raw)
To: development
Hello list it's me again,
the build process now reached python-cryptography which requires rust-
asn1, which requires rust-ans1_derive, which did not build because of a
to new version of rust-syn.
rust-asn1_derive (0.12.2)
[ 1 ][ FAIL ]
make: Nothing to be done for 'download'.
make: Leaving directory '/home/ipfire-2.x/lfs'
make: Entering directory '/usr/src/lfs'
toml-0.8.19.tar.gz checksum OK
make: Nothing to be done for 'install'.
make: Leaving directory '/usr/src/lfs'
Jän 26 15:18:59: Building rust-asn1_derive make: Entering directory
'/home/ipfire-2.x/lfs'
make: Nothing to be done for 'download'.
make: Leaving directory '/home/ipfire-2.x/lfs'
make: Entering directory '/usr/src/lfs'
asn1_derive-0.12.2.tar.gz checksum OK
====================================== Installing asn1_derive-
0.12.2 ...
Install started; saving file list to /usr/src/lsalr ...
cd /usr/src/asn1_derive-0.12.2 && if [ -f Cargo.toml.orig ]; then \
rm -f Cargo.toml.orig; \
fi; \
cd /usr/src/asn1_derive-0.12.2 && mkdir -p /usr/src/asn1_derive-
0.12.2/.cargo && echo "${CARGO_CONFIG}" > /usr/src/asn1_derive-
0.12.2/.cargo/config && rm -f Cargo.lock
cd /usr/src/asn1_derive-0.12.2 && CARGOPATH=/usr/src/asn1_derive-
0.12.2/.cargo RUSTC_BOOTSTRAP=1 cargo --offline build --release -Z
avoid-dev-deps -j12
warning: `/usr/src/asn1_derive-0.12.2/.cargo/config` is deprecated
in favor of `config.toml`
|
= help: if you need to support cargo 1.38 or earlier, you can
symlink `config` to `config.toml`
error: failed to select a version for the requirement `syn =
"^1.0.58"`
candidate versions found which didn't match: 2.0.114
location searched: directory source `/usr/share/cargo/registry`
(which is replacing registry `crates-io`)
required by package `asn1_derive v0.12.2 (/usr/src/asn1_derive-
0.12.2)`
perhaps a crate was updated and forgotten to be re-vendored?
As a reminder, you're using offline mode (--offline) which can
sometimes cause surprising resolution failures, if this error is too
confusing you may wish to retry without `--offline`.
make: *** [rust-asn1_derive:78: /usr/src/log/asn1_derive-0.12.2]
Error 101
make: Leaving directory '/usr/src/lfs'
ERROR: Building rust-asn1_derive
[ FAIL ]
Check /home/ipfire-2.x/log_x86_64/_build.ipfire.log for errors if
applicable
[ FAIL ]
root@localhost:/home/ipfire-2.x#
Currently there is an older version of the rust-syn packaged, which
would allow me to bypass this issue, but would violence the goal of
getting rid of unneccessary rust modules.
Theoretically I also could update the asn1_derive crate to the latest
version but this may break building the next modules.
May this could act as starting point for the python update, where all
the rust stuff also needs to be touched.....
@Adolf, @Michael what do you think about that?
Thanks in advance,
-Stefan
> Hello list,
>
> currently I'm working on cleaning up the rust packages.
>
> For these I disabled all rust modules in the make.sh file and perform
> a
> clean build as Michael suggested.
>
> At the moment I'm past the stage where "cbindgen" successfully has
> been
> build and have 103 rust modules (inlcluding there sub-dependencies)
> only for this one tool.
>
> An additional rust module is required to build suricata. This is
> because of patching the source code the required rust module is not
> part of their source tarball.
>
> This currently summs to 104 rust modules for the moment.
>
> I'm looking forward when python-cryptography kicks in its module
> whishes....
>
> Best regards,
>
> -Stefan
> > Hello Adolf,
> > Hello Michael,
> >
> > I would give the rust cleanup a try in the next few days.
> >
> > Adolf may I can ask you to put your current state of the python
> > update
> > into a git repositry?
> >
> > Thanks in advance,
> >
> > -Stefan
> >
> > > Hello Adolf,
> > >
> > > > On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
> > > > wrote:
> > > >
> > > > Hi Michael,
> > > >
> > > > On 23/01/2026 11:31, Michael Tremer wrote:
> > > > > Hello Stefan,
> > > > > Hello list,
> > > > > Thank you for looking at this. Of course it is very important
> > > > > that we are able to stay on the latest version of Suricata.
> > > > > I have merged your monster of a patch so that we can move on
> > > > > for
> > > > > now, but I have a couple of bigger questions that we all
> > > > > should
> > > > > have a look at:
> > > > > Adolf has in the past spent a lot of time on updating Rust.
> > > > > This
> > > > > is all tapping into Python - or rather python-cryptography -
> > > > > having some Rust code that has further dependencies. In
> > > > > essence,
> > > > > it has been a huge headache to update this. Maybe Adolf even
> > > > > has
> > > > > some other words for this all.
> > > >
> > > > My words on this are that I have now tried multiple times to
> > > > get
> > > > a
> > > > new python update built. Each time I have done it a bit
> > > > different
> > > > but the end result has been the same and that is that python-
> > > > cryptography (which requires rust modules to be built) ends up
> > > > requiring python-maturin that requires more rust modules but at
> > > > the
> > > > end of this the python-cryptography fails to find the built
> > > > rust
> > > > modules.
> > > >
> > > > I have been stuck at this last point so many times that I have
> > > > realised that I am finding lots of reasons not to go and work
> > > > on
> > > > the python update.
> > > > That is not a good position and also python has now moved from
> > > > 3.13
> > > > to 3.14 so things are moving away from me.
> > > >
> > > > I have come to the conclusion that someone else, more capable
> > > > than
> > > > me needs to have a go at the python update, so I am giving up
> > > > on
> > > > it
> > > > but will continue working on other things.
> > >
> > > Hmm okay, you sound like you are giving up on this :) I know how
> > > many
> > > hours (we probably need to measure those in days or even weeks)
> > > you
> > > have spent on this though.
> > >
> > > Let’s pool resources together and finally get this done.
> > > Hopefully
> > > this will be a smoother ride as a combined effort.
> > >
> > > > > Just building cbindgen has required a further ~98 Rust crates
> > > > > to
> > > > > be packaged. Often we have the same crate in different
> > > > > versions
> > > > > because other crates have pinned a specific version. In
> > > > > total,
> > > > > we
> > > > > currently have ~790 packages in IPFire. Out of those, there
> > > > > are
> > > > > 202 packages in the rust-* namespace. That is pretty much a
> > > > > quarter of the distribution. Although not a lot in size, this
> > > > > is
> > > > > a considerable maintenance burden.
> > > > > ClamAV and Suricata have (recently?) started to bundle all
> > > > > their
> > > > > Rust dependencies with their release tarballs. Although this
> > > > > is
> > > > > not a good thing for many other reasons, it will move the
> > > > > onus
> > > > > onto the upstream projects to provide whatever they need. If
> > > > > their dependencies (and the dependencies of their
> > > > > dependencies)
> > > > > explode, this is not really our problem any more as well as
> > > > > any
> > > > > supply chain problems. Great - within reason.
> > > > > That leaves us with only very few packages that would
> > > > > actually
> > > > > require any external Rust crates (Suricata is even configured
> > > > > to
> > > > > *exclusively* use their bundled crates): cbindgen as a new
> > > > > thing,
> > > > > python-cryptography, anything else? We might actually only
> > > > > need
> > > > > a
> > > > > fraction of the Rust crates that we currently have as the
> > > > > only
> > > > > packages that may actually tap into our locally built
> > > > > repository
> > > > > are only those two.
> > > >
> > > > Unfortunately there is the addon oci-python-sdk that uses
> > > > python-
> > > > cryptography.
> > >
> > > python-cryptography was on my list. oci-python-sdk only uses Rust
> > > indirectly through python-cryptography, right?
> > >
> > > > > Is anyone happy to give this all a try and cleanup any old
> > > > > Rust
> > > > > deps? That way, I hope we will have a much smoother ride
> > > > > moving
> > > > > forward with a Python update.
> > > >
> > > > I can take the current status, before Stefan's patches, and see
> > > > how
> > > > many existing rust modules can be removed. Anything that can be
> > > > removed is a step forward.
> > >
> > > Yes, I think we should try to shrink what we have now if that is
> > > possible at all. As most packages are bundling all Rust deps,
> > > there
> > > should be some we won’t need any more in the system.
> > >
> > > Then, we hopefully have much less to update/worry about in any
> > > other
> > > way when we start touching python-cryptography.
> > >
> > > So who is volunteering to do this? Commenting out all Rust
> > > packages,
> > > then build python-cryptography which will fail as it requires
> > > some
> > > Rust crates. Those will be there so they will only have to be
> > > commented in again. Once the package builds, we should then have
> > > a
> > > couple of packages still commented that we can drop.
> > >
> > > > I think a problem moving forward is that more python modules
> > > > are
> > > > ending up being a combination of python and rust as the
> > > > cryptography and maturin modules have already done. I have also
> > > > seen a lot of rust modules covering the same stuff as covered
> > > > by
> > > > python modules. So the future I think looks like it will
> > > > continue
> > > > to be very frustrating.
> > >
> > > Yes it does, but we will have to find a way whether we want it or
> > > not.
> > >
> > > -Michael
> > >
> > > > Regards,
> > > >
> > > > Adolf.
> > > >
> > > >
> > > > > All the best,
> > > > > -Michael
> > > > > > On 22 Jan 2026, at 17:38, Stefan Schantl
> > > > > > <stefan.schantl@ipfire.org> wrote:
> > > > > >
> > > > > > Hello list followers,
> > > > > >
> > > > > > I'm currently updating rust and affected modules.
> > > > > >
> > > > > > This happends mainly because I'm trying to fix the
> > > > > > "suricata
> > > > > > cache
> > > > > > grows infinite" problem, which a lot of people are
> > > > > > affected.
> > > > > >
> > > > > > To archive this, I ported the patches from suricata main
> > > > > > development
> > > > > > branch to our used suricata version (8.0.3).
> > > > > >
> > > > > > To perform a full build, a new tool called cbindgen - which
> > > > > > is
> > > > > > a rust
> > > > > > to c bindings generator, is required.
> > > > > >
> > > > > > Sadly this tool is also written in rust and requires some
> > > > > > new
> > > > > > dependencies and a more up to date rust compiler.
> > > > > >
> > > > > > I hope to send a patchset for all this very soon to the
> > > > > > mailing
> > > > > > list.
> > > > > >
> > > > > > Best regards,
> > > > > >
> > > > > > -Stefan
> > >
> > >
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-26 15:31 ` Stefan Schantl
@ 2026-01-26 17:23 ` Michael Tremer
2026-01-26 19:07 ` Adolf Belka
0 siblings, 1 reply; 17+ messages in thread
From: Michael Tremer @ 2026-01-26 17:23 UTC (permalink / raw)
To: Stefan Schantl; +Cc: development
Hello Stefan,
Thanks for looking into this.
I would suggest that for the cleanup project, it would be best to keep two versions of rust-syn. Obviously this will inflate the number of packages for now, but actually starting to update and therefore potentially add more dependencies does not sounds wise to me. We would mix up too many changes into one which is never good.
Please start a list with all those packages that we would have to have a look at once the cleanup has been completed and we will start with updating them. That way we should be able keep this cleaner and hopefully won’t introduce too many new dependencies.
In the end, I guess we will have to run this cleanup more than just this time, because we never know which package has dropped any dependencies. This is however rather unlikely.
Best,
-Michael
> On 26 Jan 2026, at 15:31, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> Hello list it's me again,
>
> the build process now reached python-cryptography which requires rust-
> asn1, which requires rust-ans1_derive, which did not build because of a
> to new version of rust-syn.
>
> rust-asn1_derive (0.12.2)
> [ 1 ][ FAIL ]
>
> make: Nothing to be done for 'download'.
> make: Leaving directory '/home/ipfire-2.x/lfs'
> make: Entering directory '/usr/src/lfs'
> toml-0.8.19.tar.gz checksum OK
> make: Nothing to be done for 'install'.
> make: Leaving directory '/usr/src/lfs'
> Jän 26 15:18:59: Building rust-asn1_derive make: Entering directory
> '/home/ipfire-2.x/lfs'
> make: Nothing to be done for 'download'.
> make: Leaving directory '/home/ipfire-2.x/lfs'
> make: Entering directory '/usr/src/lfs'
> asn1_derive-0.12.2.tar.gz checksum OK
> ====================================== Installing asn1_derive-
> 0.12.2 ...
> Install started; saving file list to /usr/src/lsalr ...
> cd /usr/src/asn1_derive-0.12.2 && if [ -f Cargo.toml.orig ]; then \
> rm -f Cargo.toml.orig; \
> fi; \
>
> cd /usr/src/asn1_derive-0.12.2 && mkdir -p /usr/src/asn1_derive-
> 0.12.2/.cargo && echo "${CARGO_CONFIG}" > /usr/src/asn1_derive-
> 0.12.2/.cargo/config && rm -f Cargo.lock
> cd /usr/src/asn1_derive-0.12.2 && CARGOPATH=/usr/src/asn1_derive-
> 0.12.2/.cargo RUSTC_BOOTSTRAP=1 cargo --offline build --release -Z
> avoid-dev-deps -j12
> warning: `/usr/src/asn1_derive-0.12.2/.cargo/config` is deprecated
> in favor of `config.toml`
> |
> = help: if you need to support cargo 1.38 or earlier, you can
> symlink `config` to `config.toml`
> error: failed to select a version for the requirement `syn =
> "^1.0.58"`
> candidate versions found which didn't match: 2.0.114
> location searched: directory source `/usr/share/cargo/registry`
> (which is replacing registry `crates-io`)
> required by package `asn1_derive v0.12.2 (/usr/src/asn1_derive-
> 0.12.2)`
> perhaps a crate was updated and forgotten to be re-vendored?
> As a reminder, you're using offline mode (--offline) which can
> sometimes cause surprising resolution failures, if this error is too
> confusing you may wish to retry without `--offline`.
> make: *** [rust-asn1_derive:78: /usr/src/log/asn1_derive-0.12.2]
> Error 101
> make: Leaving directory '/usr/src/lfs'
>
> ERROR: Building rust-asn1_derive
> [ FAIL ]
> Check /home/ipfire-2.x/log_x86_64/_build.ipfire.log for errors if
> applicable
> [ FAIL ]
> root@localhost:/home/ipfire-2.x#
>
> Currently there is an older version of the rust-syn packaged, which
> would allow me to bypass this issue, but would violence the goal of
> getting rid of unneccessary rust modules.
>
> Theoretically I also could update the asn1_derive crate to the latest
> version but this may break building the next modules.
>
> May this could act as starting point for the python update, where all
> the rust stuff also needs to be touched.....
>
> @Adolf, @Michael what do you think about that?
>
> Thanks in advance,
>
> -Stefan
>
>
>
>> Hello list,
>>
>> currently I'm working on cleaning up the rust packages.
>>
>> For these I disabled all rust modules in the make.sh file and perform
>> a
>> clean build as Michael suggested.
>>
>> At the moment I'm past the stage where "cbindgen" successfully has
>> been
>> build and have 103 rust modules (inlcluding there sub-dependencies)
>> only for this one tool.
>>
>> An additional rust module is required to build suricata. This is
>> because of patching the source code the required rust module is not
>> part of their source tarball.
>>
>> This currently summs to 104 rust modules for the moment.
>>
>> I'm looking forward when python-cryptography kicks in its module
>> whishes....
>>
>> Best regards,
>>
>> -Stefan
>>> Hello Adolf,
>>> Hello Michael,
>>>
>>> I would give the rust cleanup a try in the next few days.
>>>
>>> Adolf may I can ask you to put your current state of the python
>>> update
>>> into a git repositry?
>>>
>>> Thanks in advance,
>>>
>>> -Stefan
>>>
>>>> Hello Adolf,
>>>>
>>>>> On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
>>>>> wrote:
>>>>>
>>>>> Hi Michael,
>>>>>
>>>>> On 23/01/2026 11:31, Michael Tremer wrote:
>>>>>> Hello Stefan,
>>>>>> Hello list,
>>>>>> Thank you for looking at this. Of course it is very important
>>>>>> that we are able to stay on the latest version of Suricata.
>>>>>> I have merged your monster of a patch so that we can move on
>>>>>> for
>>>>>> now, but I have a couple of bigger questions that we all
>>>>>> should
>>>>>> have a look at:
>>>>>> Adolf has in the past spent a lot of time on updating Rust.
>>>>>> This
>>>>>> is all tapping into Python - or rather python-cryptography -
>>>>>> having some Rust code that has further dependencies. In
>>>>>> essence,
>>>>>> it has been a huge headache to update this. Maybe Adolf even
>>>>>> has
>>>>>> some other words for this all.
>>>>>
>>>>> My words on this are that I have now tried multiple times to
>>>>> get
>>>>> a
>>>>> new python update built. Each time I have done it a bit
>>>>> different
>>>>> but the end result has been the same and that is that python-
>>>>> cryptography (which requires rust modules to be built) ends up
>>>>> requiring python-maturin that requires more rust modules but at
>>>>> the
>>>>> end of this the python-cryptography fails to find the built
>>>>> rust
>>>>> modules.
>>>>>
>>>>> I have been stuck at this last point so many times that I have
>>>>> realised that I am finding lots of reasons not to go and work
>>>>> on
>>>>> the python update.
>>>>> That is not a good position and also python has now moved from
>>>>> 3.13
>>>>> to 3.14 so things are moving away from me.
>>>>>
>>>>> I have come to the conclusion that someone else, more capable
>>>>> than
>>>>> me needs to have a go at the python update, so I am giving up
>>>>> on
>>>>> it
>>>>> but will continue working on other things.
>>>>
>>>> Hmm okay, you sound like you are giving up on this :) I know how
>>>> many
>>>> hours (we probably need to measure those in days or even weeks)
>>>> you
>>>> have spent on this though.
>>>>
>>>> Let’s pool resources together and finally get this done.
>>>> Hopefully
>>>> this will be a smoother ride as a combined effort.
>>>>
>>>>>> Just building cbindgen has required a further ~98 Rust crates
>>>>>> to
>>>>>> be packaged. Often we have the same crate in different
>>>>>> versions
>>>>>> because other crates have pinned a specific version. In
>>>>>> total,
>>>>>> we
>>>>>> currently have ~790 packages in IPFire. Out of those, there
>>>>>> are
>>>>>> 202 packages in the rust-* namespace. That is pretty much a
>>>>>> quarter of the distribution. Although not a lot in size, this
>>>>>> is
>>>>>> a considerable maintenance burden.
>>>>>> ClamAV and Suricata have (recently?) started to bundle all
>>>>>> their
>>>>>> Rust dependencies with their release tarballs. Although this
>>>>>> is
>>>>>> not a good thing for many other reasons, it will move the
>>>>>> onus
>>>>>> onto the upstream projects to provide whatever they need. If
>>>>>> their dependencies (and the dependencies of their
>>>>>> dependencies)
>>>>>> explode, this is not really our problem any more as well as
>>>>>> any
>>>>>> supply chain problems. Great - within reason.
>>>>>> That leaves us with only very few packages that would
>>>>>> actually
>>>>>> require any external Rust crates (Suricata is even configured
>>>>>> to
>>>>>> *exclusively* use their bundled crates): cbindgen as a new
>>>>>> thing,
>>>>>> python-cryptography, anything else? We might actually only
>>>>>> need
>>>>>> a
>>>>>> fraction of the Rust crates that we currently have as the
>>>>>> only
>>>>>> packages that may actually tap into our locally built
>>>>>> repository
>>>>>> are only those two.
>>>>>
>>>>> Unfortunately there is the addon oci-python-sdk that uses
>>>>> python-
>>>>> cryptography.
>>>>
>>>> python-cryptography was on my list. oci-python-sdk only uses Rust
>>>> indirectly through python-cryptography, right?
>>>>
>>>>>> Is anyone happy to give this all a try and cleanup any old
>>>>>> Rust
>>>>>> deps? That way, I hope we will have a much smoother ride
>>>>>> moving
>>>>>> forward with a Python update.
>>>>>
>>>>> I can take the current status, before Stefan's patches, and see
>>>>> how
>>>>> many existing rust modules can be removed. Anything that can be
>>>>> removed is a step forward.
>>>>
>>>> Yes, I think we should try to shrink what we have now if that is
>>>> possible at all. As most packages are bundling all Rust deps,
>>>> there
>>>> should be some we won’t need any more in the system.
>>>>
>>>> Then, we hopefully have much less to update/worry about in any
>>>> other
>>>> way when we start touching python-cryptography.
>>>>
>>>> So who is volunteering to do this? Commenting out all Rust
>>>> packages,
>>>> then build python-cryptography which will fail as it requires
>>>> some
>>>> Rust crates. Those will be there so they will only have to be
>>>> commented in again. Once the package builds, we should then have
>>>> a
>>>> couple of packages still commented that we can drop.
>>>>
>>>>> I think a problem moving forward is that more python modules
>>>>> are
>>>>> ending up being a combination of python and rust as the
>>>>> cryptography and maturin modules have already done. I have also
>>>>> seen a lot of rust modules covering the same stuff as covered
>>>>> by
>>>>> python modules. So the future I think looks like it will
>>>>> continue
>>>>> to be very frustrating.
>>>>
>>>> Yes it does, but we will have to find a way whether we want it or
>>>> not.
>>>>
>>>> -Michael
>>>>
>>>>> Regards,
>>>>>
>>>>> Adolf.
>>>>>
>>>>>
>>>>>> All the best,
>>>>>> -Michael
>>>>>>> On 22 Jan 2026, at 17:38, Stefan Schantl
>>>>>>> <stefan.schantl@ipfire.org> wrote:
>>>>>>>
>>>>>>> Hello list followers,
>>>>>>>
>>>>>>> I'm currently updating rust and affected modules.
>>>>>>>
>>>>>>> This happends mainly because I'm trying to fix the
>>>>>>> "suricata
>>>>>>> cache
>>>>>>> grows infinite" problem, which a lot of people are
>>>>>>> affected.
>>>>>>>
>>>>>>> To archive this, I ported the patches from suricata main
>>>>>>> development
>>>>>>> branch to our used suricata version (8.0.3).
>>>>>>>
>>>>>>> To perform a full build, a new tool called cbindgen - which
>>>>>>> is
>>>>>>> a rust
>>>>>>> to c bindings generator, is required.
>>>>>>>
>>>>>>> Sadly this tool is also written in rust and requires some
>>>>>>> new
>>>>>>> dependencies and a more up to date rust compiler.
>>>>>>>
>>>>>>> I hope to send a patchset for all this very soon to the
>>>>>>> mailing
>>>>>>> list.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> -Stefan
>>>>
>>>>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-26 17:23 ` Michael Tremer
@ 2026-01-26 19:07 ` Adolf Belka
2026-01-27 10:36 ` Michael Tremer
0 siblings, 1 reply; 17+ messages in thread
From: Adolf Belka @ 2026-01-26 19:07 UTC (permalink / raw)
To: Michael Tremer; +Cc: Stefan Schantl, IPFire: Development-List
Hi Michael & Stefan,
On 26/01/2026 18:23, Michael Tremer wrote:
> Hello Stefan,
>
> Thanks for looking into this.
>
> I would suggest that for the cleanup project, it would be best to keep two versions of rust-syn. Obviously this will inflate the number of packages for now, but actually starting to update and therefore potentially add more dependencies does not sounds wise to me. We would mix up too many changes into one which is never good.
I am pretty certain from my work on the python update, which required rust updates, that you will find that you will need two different versions of rust-syn as one rust module will require an older version and another rust module will require a newer version and the two won't overlap. In my work there were even some rust modules where I ended up with the latest version plus two older versions being required.
>
> Please start a list with all those packages that we would have to have a look at once the cleanup has been completed and we will start with updating them. That way we should be able keep this cleaner and hopefully won’t introduce too many new dependencies.
>
> In the end, I guess we will have to run this cleanup more than just this time, because we never know which package has dropped any dependencies. This is however rather unlikely.
>
> Best,
> -Michael
>
>> On 26 Jan 2026, at 15:31, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>
>> Hello list it's me again,
>>
>> the build process now reached python-cryptography which requires rust-
>> asn1, which requires rust-ans1_derive, which did not build because of a
>> to new version of rust-syn.
>>
>> rust-asn1_derive (0.12.2)
>> [ 1 ][ FAIL ]
>>
>> make: Nothing to be done for 'download'.
>> make: Leaving directory '/home/ipfire-2.x/lfs'
>> make: Entering directory '/usr/src/lfs'
>> toml-0.8.19.tar.gz checksum OK
>> make: Nothing to be done for 'install'.
>> make: Leaving directory '/usr/src/lfs'
>> Jän 26 15:18:59: Building rust-asn1_derive make: Entering directory
>> '/home/ipfire-2.x/lfs'
>> make: Nothing to be done for 'download'.
>> make: Leaving directory '/home/ipfire-2.x/lfs'
>> make: Entering directory '/usr/src/lfs'
>> asn1_derive-0.12.2.tar.gz checksum OK
>> ====================================== Installing asn1_derive-
>> 0.12.2 ...
>> Install started; saving file list to /usr/src/lsalr ...
>> cd /usr/src/asn1_derive-0.12.2 && if [ -f Cargo.toml.orig ]; then \
>> rm -f Cargo.toml.orig; \
>> fi; \
>>
>> cd /usr/src/asn1_derive-0.12.2 && mkdir -p /usr/src/asn1_derive-
>> 0.12.2/.cargo && echo "${CARGO_CONFIG}" > /usr/src/asn1_derive-
>> 0.12.2/.cargo/config && rm -f Cargo.lock
>> cd /usr/src/asn1_derive-0.12.2 && CARGOPATH=/usr/src/asn1_derive-
>> 0.12.2/.cargo RUSTC_BOOTSTRAP=1 cargo --offline build --release -Z
>> avoid-dev-deps -j12
>> warning: `/usr/src/asn1_derive-0.12.2/.cargo/config` is deprecated
>> in favor of `config.toml`
>> |
>> = help: if you need to support cargo 1.38 or earlier, you can
>> symlink `config` to `config.toml`
>> error: failed to select a version for the requirement `syn =
>> "^1.0.58"`
>> candidate versions found which didn't match: 2.0.114
>> location searched: directory source `/usr/share/cargo/registry`
>> (which is replacing registry `crates-io`)
>> required by package `asn1_derive v0.12.2 (/usr/src/asn1_derive-
>> 0.12.2)`
>> perhaps a crate was updated and forgotten to be re-vendored?
>> As a reminder, you're using offline mode (--offline) which can
>> sometimes cause surprising resolution failures, if this error is too
>> confusing you may wish to retry without `--offline`.
>> make: *** [rust-asn1_derive:78: /usr/src/log/asn1_derive-0.12.2]
>> Error 101
>> make: Leaving directory '/usr/src/lfs'
>>
>> ERROR: Building rust-asn1_derive
>> [ FAIL ]
>> Check /home/ipfire-2.x/log_x86_64/_build.ipfire.log for errors if
>> applicable
>> [ FAIL ]
>> root@localhost:/home/ipfire-2.x#
>>
>> Currently there is an older version of the rust-syn packaged, which
>> would allow me to bypass this issue, but would violence the goal of
>> getting rid of unneccessary rust modules.
>>
>> Theoretically I also could update the asn1_derive crate to the latest
>> version but this may break building the next modules.
>>
>> May this could act as starting point for the python update, where all
>> the rust stuff also needs to be touched.....
>>
>> @Adolf, @Michael what do you think about that?
>>
>> Thanks in advance,
>>
>> -Stefan
>>
>>
>>
>>> Hello list,
>>>
>>> currently I'm working on cleaning up the rust packages.
>>>
>>> For these I disabled all rust modules in the make.sh file and perform
>>> a
>>> clean build as Michael suggested.
>>>
>>> At the moment I'm past the stage where "cbindgen" successfully has
>>> been
>>> build and have 103 rust modules (inlcluding there sub-dependencies)
>>> only for this one tool.
>>>
>>> An additional rust module is required to build suricata. This is
>>> because of patching the source code the required rust module is not
>>> part of their source tarball.
>>>
>>> This currently summs to 104 rust modules for the moment.
>>>
>>> I'm looking forward when python-cryptography kicks in its module
>>> whishes....
>>>
>>> Best regards,
>>>
>>> -Stefan
>>>> Hello Adolf,
>>>> Hello Michael,
>>>>
>>>> I would give the rust cleanup a try in the next few days.
>>>>
>>>> Adolf may I can ask you to put your current state of the python
>>>> update
>>>> into a git repositry?
As my last work from November last year was not completed and is based on an older status now and also on python3.13 vs the current 3.14, I think it makes more sense that once Stefan has completed the clean up of the rust modules, I then take that as the starting point and go through all my changes as done before until I get to the problem I experience with python-cryptography not being able to find any of the rust modules required by python-maturin. That has always been the point where I got stuck.
At that time I will then put that git branch I am working on into my personal IPFire git repo so that the two of you can look at it to see what I am doing wrong at that stage.
That way, I can still contribute with all the update steps that I can do but hand it over when it gets to the step that has consistently beat me.
Regards,
Adolf.
>>>>
>>>> Thanks in advance,
>>>>
>>>> -Stefan
>>>>
>>>>> Hello Adolf,
>>>>>
>>>>>> On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
>>>>>> wrote:
>>>>>>
>>>>>> Hi Michael,
>>>>>>
>>>>>> On 23/01/2026 11:31, Michael Tremer wrote:
>>>>>>> Hello Stefan,
>>>>>>> Hello list,
>>>>>>> Thank you for looking at this. Of course it is very important
>>>>>>> that we are able to stay on the latest version of Suricata.
>>>>>>> I have merged your monster of a patch so that we can move on
>>>>>>> for
>>>>>>> now, but I have a couple of bigger questions that we all
>>>>>>> should
>>>>>>> have a look at:
>>>>>>> Adolf has in the past spent a lot of time on updating Rust.
>>>>>>> This
>>>>>>> is all tapping into Python - or rather python-cryptography -
>>>>>>> having some Rust code that has further dependencies. In
>>>>>>> essence,
>>>>>>> it has been a huge headache to update this. Maybe Adolf even
>>>>>>> has
>>>>>>> some other words for this all.
>>>>>>
>>>>>> My words on this are that I have now tried multiple times to
>>>>>> get
>>>>>> a
>>>>>> new python update built. Each time I have done it a bit
>>>>>> different
>>>>>> but the end result has been the same and that is that python-
>>>>>> cryptography (which requires rust modules to be built) ends up
>>>>>> requiring python-maturin that requires more rust modules but at
>>>>>> the
>>>>>> end of this the python-cryptography fails to find the built
>>>>>> rust
>>>>>> modules.
>>>>>>
>>>>>> I have been stuck at this last point so many times that I have
>>>>>> realised that I am finding lots of reasons not to go and work
>>>>>> on
>>>>>> the python update.
>>>>>> That is not a good position and also python has now moved from
>>>>>> 3.13
>>>>>> to 3.14 so things are moving away from me.
>>>>>>
>>>>>> I have come to the conclusion that someone else, more capable
>>>>>> than
>>>>>> me needs to have a go at the python update, so I am giving up
>>>>>> on
>>>>>> it
>>>>>> but will continue working on other things.
>>>>>
>>>>> Hmm okay, you sound like you are giving up on this :) I know how
>>>>> many
>>>>> hours (we probably need to measure those in days or even weeks)
>>>>> you
>>>>> have spent on this though.
>>>>>
>>>>> Let’s pool resources together and finally get this done.
>>>>> Hopefully
>>>>> this will be a smoother ride as a combined effort.
>>>>>
>>>>>>> Just building cbindgen has required a further ~98 Rust crates
>>>>>>> to
>>>>>>> be packaged. Often we have the same crate in different
>>>>>>> versions
>>>>>>> because other crates have pinned a specific version. In
>>>>>>> total,
>>>>>>> we
>>>>>>> currently have ~790 packages in IPFire. Out of those, there
>>>>>>> are
>>>>>>> 202 packages in the rust-* namespace. That is pretty much a
>>>>>>> quarter of the distribution. Although not a lot in size, this
>>>>>>> is
>>>>>>> a considerable maintenance burden.
>>>>>>> ClamAV and Suricata have (recently?) started to bundle all
>>>>>>> their
>>>>>>> Rust dependencies with their release tarballs. Although this
>>>>>>> is
>>>>>>> not a good thing for many other reasons, it will move the
>>>>>>> onus
>>>>>>> onto the upstream projects to provide whatever they need. If
>>>>>>> their dependencies (and the dependencies of their
>>>>>>> dependencies)
>>>>>>> explode, this is not really our problem any more as well as
>>>>>>> any
>>>>>>> supply chain problems. Great - within reason.
>>>>>>> That leaves us with only very few packages that would
>>>>>>> actually
>>>>>>> require any external Rust crates (Suricata is even configured
>>>>>>> to
>>>>>>> *exclusively* use their bundled crates): cbindgen as a new
>>>>>>> thing,
>>>>>>> python-cryptography, anything else? We might actually only
>>>>>>> need
>>>>>>> a
>>>>>>> fraction of the Rust crates that we currently have as the
>>>>>>> only
>>>>>>> packages that may actually tap into our locally built
>>>>>>> repository
>>>>>>> are only those two.
>>>>>>
>>>>>> Unfortunately there is the addon oci-python-sdk that uses
>>>>>> python-
>>>>>> cryptography.
>>>>>
>>>>> python-cryptography was on my list. oci-python-sdk only uses Rust
>>>>> indirectly through python-cryptography, right?
>>>>>
>>>>>>> Is anyone happy to give this all a try and cleanup any old
>>>>>>> Rust
>>>>>>> deps? That way, I hope we will have a much smoother ride
>>>>>>> moving
>>>>>>> forward with a Python update.
>>>>>>
>>>>>> I can take the current status, before Stefan's patches, and see
>>>>>> how
>>>>>> many existing rust modules can be removed. Anything that can be
>>>>>> removed is a step forward.
>>>>>
>>>>> Yes, I think we should try to shrink what we have now if that is
>>>>> possible at all. As most packages are bundling all Rust deps,
>>>>> there
>>>>> should be some we won’t need any more in the system.
>>>>>
>>>>> Then, we hopefully have much less to update/worry about in any
>>>>> other
>>>>> way when we start touching python-cryptography.
>>>>>
>>>>> So who is volunteering to do this? Commenting out all Rust
>>>>> packages,
>>>>> then build python-cryptography which will fail as it requires
>>>>> some
>>>>> Rust crates. Those will be there so they will only have to be
>>>>> commented in again. Once the package builds, we should then have
>>>>> a
>>>>> couple of packages still commented that we can drop.
>>>>>
>>>>>> I think a problem moving forward is that more python modules
>>>>>> are
>>>>>> ending up being a combination of python and rust as the
>>>>>> cryptography and maturin modules have already done. I have also
>>>>>> seen a lot of rust modules covering the same stuff as covered
>>>>>> by
>>>>>> python modules. So the future I think looks like it will
>>>>>> continue
>>>>>> to be very frustrating.
>>>>>
>>>>> Yes it does, but we will have to find a way whether we want it or
>>>>> not.
>>>>>
>>>>> -Michael
>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Adolf.
>>>>>>
>>>>>>
>>>>>>> All the best,
>>>>>>> -Michael
>>>>>>>> On 22 Jan 2026, at 17:38, Stefan Schantl
>>>>>>>> <stefan.schantl@ipfire.org> wrote:
>>>>>>>>
>>>>>>>> Hello list followers,
>>>>>>>>
>>>>>>>> I'm currently updating rust and affected modules.
>>>>>>>>
>>>>>>>> This happends mainly because I'm trying to fix the
>>>>>>>> "suricata
>>>>>>>> cache
>>>>>>>> grows infinite" problem, which a lot of people are
>>>>>>>> affected.
>>>>>>>>
>>>>>>>> To archive this, I ported the patches from suricata main
>>>>>>>> development
>>>>>>>> branch to our used suricata version (8.0.3).
>>>>>>>>
>>>>>>>> To perform a full build, a new tool called cbindgen - which
>>>>>>>> is
>>>>>>>> a rust
>>>>>>>> to c bindings generator, is required.
>>>>>>>>
>>>>>>>> Sadly this tool is also written in rust and requires some
>>>>>>>> new
>>>>>>>> dependencies and a more up to date rust compiler.
>>>>>>>>
>>>>>>>> I hope to send a patchset for all this very soon to the
>>>>>>>> mailing
>>>>>>>> list.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>>
>>>>>>>> -Stefan
>>>>>
>>>>>
>>
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-26 19:07 ` Adolf Belka
@ 2026-01-27 10:36 ` Michael Tremer
2026-01-27 15:45 ` Adolf Belka
0 siblings, 1 reply; 17+ messages in thread
From: Michael Tremer @ 2026-01-27 10:36 UTC (permalink / raw)
To: Adolf Belka; +Cc: Stefan Schantl, IPFire: Development-List
Hello Adolf,
> On 26 Jan 2026, at 19:07, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> Hi Michael & Stefan,
>
> On 26/01/2026 18:23, Michael Tremer wrote:
>> Hello Stefan,
>> Thanks for looking into this.
>> I would suggest that for the cleanup project, it would be best to keep two versions of rust-syn. Obviously this will inflate the number of packages for now, but actually starting to update and therefore potentially add more dependencies does not sounds wise to me. We would mix up too many changes into one which is never good.
>
> I am pretty certain from my work on the python update, which required rust updates, that you will find that you will need two different versions of rust-syn as one rust module will require an older version and another rust module will require a newer version and the two won't overlap. In my work there were even some rust modules where I ended up with the latest version plus two older versions being required.
I hope that at some point someone will be able to explain to me what the benefit is to ship an older version of a crate that will have some bugs that have been fixed in the newer version. And if this is regarding LTS or breaking changes, other libraries totally manage this...
>> Please start a list with all those packages that we would have to have a look at once the cleanup has been completed and we will start with updating them. That way we should be able keep this cleaner and hopefully won’t introduce too many new dependencies.
>> In the end, I guess we will have to run this cleanup more than just this time, because we never know which package has dropped any dependencies. This is however rather unlikely.
>> Best,
>> -Michael
>>> On 26 Jan 2026, at 15:31, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>>
>>> Hello list it's me again,
>>>
>>> the build process now reached python-cryptography which requires rust-
>>> asn1, which requires rust-ans1_derive, which did not build because of a
>>> to new version of rust-syn.
>>>
>>> rust-asn1_derive (0.12.2)
>>> [ 1 ][ FAIL ]
>>>
>>> make: Nothing to be done for 'download'.
>>> make: Leaving directory '/home/ipfire-2.x/lfs'
>>> make: Entering directory '/usr/src/lfs'
>>> toml-0.8.19.tar.gz checksum OK
>>> make: Nothing to be done for 'install'.
>>> make: Leaving directory '/usr/src/lfs'
>>> Jän 26 15:18:59: Building rust-asn1_derive make: Entering directory
>>> '/home/ipfire-2.x/lfs'
>>> make: Nothing to be done for 'download'.
>>> make: Leaving directory '/home/ipfire-2.x/lfs'
>>> make: Entering directory '/usr/src/lfs'
>>> asn1_derive-0.12.2.tar.gz checksum OK
>>> ====================================== Installing asn1_derive-
>>> 0.12.2 ...
>>> Install started; saving file list to /usr/src/lsalr ...
>>> cd /usr/src/asn1_derive-0.12.2 && if [ -f Cargo.toml.orig ]; then \
>>> rm -f Cargo.toml.orig; \
>>> fi; \
>>>
>>> cd /usr/src/asn1_derive-0.12.2 && mkdir -p /usr/src/asn1_derive-
>>> 0.12.2/.cargo && echo "${CARGO_CONFIG}" > /usr/src/asn1_derive-
>>> 0.12.2/.cargo/config && rm -f Cargo.lock
>>> cd /usr/src/asn1_derive-0.12.2 && CARGOPATH=/usr/src/asn1_derive-
>>> 0.12.2/.cargo RUSTC_BOOTSTRAP=1 cargo --offline build --release -Z
>>> avoid-dev-deps -j12
>>> warning: `/usr/src/asn1_derive-0.12.2/.cargo/config` is deprecated
>>> in favor of `config.toml`
>>> |
>>> = help: if you need to support cargo 1.38 or earlier, you can
>>> symlink `config` to `config.toml`
>>> error: failed to select a version for the requirement `syn =
>>> "^1.0.58"`
>>> candidate versions found which didn't match: 2.0.114
>>> location searched: directory source `/usr/share/cargo/registry`
>>> (which is replacing registry `crates-io`)
>>> required by package `asn1_derive v0.12.2 (/usr/src/asn1_derive-
>>> 0.12.2)`
>>> perhaps a crate was updated and forgotten to be re-vendored?
>>> As a reminder, you're using offline mode (--offline) which can
>>> sometimes cause surprising resolution failures, if this error is too
>>> confusing you may wish to retry without `--offline`.
>>> make: *** [rust-asn1_derive:78: /usr/src/log/asn1_derive-0.12.2]
>>> Error 101
>>> make: Leaving directory '/usr/src/lfs'
>>>
>>> ERROR: Building rust-asn1_derive
>>> [ FAIL ]
>>> Check /home/ipfire-2.x/log_x86_64/_build.ipfire.log for errors if
>>> applicable
>>> [ FAIL ]
>>> root@localhost:/home/ipfire-2.x#
>>>
>>> Currently there is an older version of the rust-syn packaged, which
>>> would allow me to bypass this issue, but would violence the goal of
>>> getting rid of unneccessary rust modules.
>>>
>>> Theoretically I also could update the asn1_derive crate to the latest
>>> version but this may break building the next modules.
>>>
>>> May this could act as starting point for the python update, where all
>>> the rust stuff also needs to be touched.....
>>>
>>> @Adolf, @Michael what do you think about that?
>>>
>>> Thanks in advance,
>>>
>>> -Stefan
>>>
>>>
>>>
>>>> Hello list,
>>>>
>>>> currently I'm working on cleaning up the rust packages.
>>>>
>>>> For these I disabled all rust modules in the make.sh file and perform
>>>> a
>>>> clean build as Michael suggested.
>>>>
>>>> At the moment I'm past the stage where "cbindgen" successfully has
>>>> been
>>>> build and have 103 rust modules (inlcluding there sub-dependencies)
>>>> only for this one tool.
>>>>
>>>> An additional rust module is required to build suricata. This is
>>>> because of patching the source code the required rust module is not
>>>> part of their source tarball.
>>>>
>>>> This currently summs to 104 rust modules for the moment.
>>>>
>>>> I'm looking forward when python-cryptography kicks in its module
>>>> whishes....
>>>>
>>>> Best regards,
>>>>
>>>> -Stefan
>>>>> Hello Adolf,
>>>>> Hello Michael,
>>>>>
>>>>> I would give the rust cleanup a try in the next few days.
>>>>>
>>>>> Adolf may I can ask you to put your current state of the python
>>>>> update
>>>>> into a git repositry?
>
> As my last work from November last year was not completed and is based on an older status now and also on python3.13 vs the current 3.14, I think it makes more sense that once Stefan has completed the clean up of the rust modules, I then take that as the starting point and go through all my changes as done before until I get to the problem I experience with python-cryptography not being able to find any of the rust modules required by python-maturin. That has always been the point where I got stuck.
Did you try to update python-cryptography first without touching Python and after that try the Python update?
> At that time I will then put that git branch I am working on into my personal IPFire git repo so that the two of you can look at it to see what I am doing wrong at that stage.
>
> That way, I can still contribute with all the update steps that I can do but hand it over when it gets to the step that has consistently beat me.
>
> Regards,
>
> Adolf.
>
>
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>> -Stefan
>>>>>
>>>>>> Hello Adolf,
>>>>>>
>>>>>>> On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Michael,
>>>>>>>
>>>>>>> On 23/01/2026 11:31, Michael Tremer wrote:
>>>>>>>> Hello Stefan,
>>>>>>>> Hello list,
>>>>>>>> Thank you for looking at this. Of course it is very important
>>>>>>>> that we are able to stay on the latest version of Suricata.
>>>>>>>> I have merged your monster of a patch so that we can move on
>>>>>>>> for
>>>>>>>> now, but I have a couple of bigger questions that we all
>>>>>>>> should
>>>>>>>> have a look at:
>>>>>>>> Adolf has in the past spent a lot of time on updating Rust.
>>>>>>>> This
>>>>>>>> is all tapping into Python - or rather python-cryptography -
>>>>>>>> having some Rust code that has further dependencies. In
>>>>>>>> essence,
>>>>>>>> it has been a huge headache to update this. Maybe Adolf even
>>>>>>>> has
>>>>>>>> some other words for this all.
>>>>>>>
>>>>>>> My words on this are that I have now tried multiple times to
>>>>>>> get
>>>>>>> a
>>>>>>> new python update built. Each time I have done it a bit
>>>>>>> different
>>>>>>> but the end result has been the same and that is that python-
>>>>>>> cryptography (which requires rust modules to be built) ends up
>>>>>>> requiring python-maturin that requires more rust modules but at
>>>>>>> the
>>>>>>> end of this the python-cryptography fails to find the built
>>>>>>> rust
>>>>>>> modules.
>>>>>>>
>>>>>>> I have been stuck at this last point so many times that I have
>>>>>>> realised that I am finding lots of reasons not to go and work
>>>>>>> on
>>>>>>> the python update.
>>>>>>> That is not a good position and also python has now moved from
>>>>>>> 3.13
>>>>>>> to 3.14 so things are moving away from me.
>>>>>>>
>>>>>>> I have come to the conclusion that someone else, more capable
>>>>>>> than
>>>>>>> me needs to have a go at the python update, so I am giving up
>>>>>>> on
>>>>>>> it
>>>>>>> but will continue working on other things.
>>>>>>
>>>>>> Hmm okay, you sound like you are giving up on this :) I know how
>>>>>> many
>>>>>> hours (we probably need to measure those in days or even weeks)
>>>>>> you
>>>>>> have spent on this though.
>>>>>>
>>>>>> Let’s pool resources together and finally get this done.
>>>>>> Hopefully
>>>>>> this will be a smoother ride as a combined effort.
>>>>>>
>>>>>>>> Just building cbindgen has required a further ~98 Rust crates
>>>>>>>> to
>>>>>>>> be packaged. Often we have the same crate in different
>>>>>>>> versions
>>>>>>>> because other crates have pinned a specific version. In
>>>>>>>> total,
>>>>>>>> we
>>>>>>>> currently have ~790 packages in IPFire. Out of those, there
>>>>>>>> are
>>>>>>>> 202 packages in the rust-* namespace. That is pretty much a
>>>>>>>> quarter of the distribution. Although not a lot in size, this
>>>>>>>> is
>>>>>>>> a considerable maintenance burden.
>>>>>>>> ClamAV and Suricata have (recently?) started to bundle all
>>>>>>>> their
>>>>>>>> Rust dependencies with their release tarballs. Although this
>>>>>>>> is
>>>>>>>> not a good thing for many other reasons, it will move the
>>>>>>>> onus
>>>>>>>> onto the upstream projects to provide whatever they need. If
>>>>>>>> their dependencies (and the dependencies of their
>>>>>>>> dependencies)
>>>>>>>> explode, this is not really our problem any more as well as
>>>>>>>> any
>>>>>>>> supply chain problems. Great - within reason.
>>>>>>>> That leaves us with only very few packages that would
>>>>>>>> actually
>>>>>>>> require any external Rust crates (Suricata is even configured
>>>>>>>> to
>>>>>>>> *exclusively* use their bundled crates): cbindgen as a new
>>>>>>>> thing,
>>>>>>>> python-cryptography, anything else? We might actually only
>>>>>>>> need
>>>>>>>> a
>>>>>>>> fraction of the Rust crates that we currently have as the
>>>>>>>> only
>>>>>>>> packages that may actually tap into our locally built
>>>>>>>> repository
>>>>>>>> are only those two.
>>>>>>>
>>>>>>> Unfortunately there is the addon oci-python-sdk that uses
>>>>>>> python-
>>>>>>> cryptography.
>>>>>>
>>>>>> python-cryptography was on my list. oci-python-sdk only uses Rust
>>>>>> indirectly through python-cryptography, right?
>>>>>>
>>>>>>>> Is anyone happy to give this all a try and cleanup any old
>>>>>>>> Rust
>>>>>>>> deps? That way, I hope we will have a much smoother ride
>>>>>>>> moving
>>>>>>>> forward with a Python update.
>>>>>>>
>>>>>>> I can take the current status, before Stefan's patches, and see
>>>>>>> how
>>>>>>> many existing rust modules can be removed. Anything that can be
>>>>>>> removed is a step forward.
>>>>>>
>>>>>> Yes, I think we should try to shrink what we have now if that is
>>>>>> possible at all. As most packages are bundling all Rust deps,
>>>>>> there
>>>>>> should be some we won’t need any more in the system.
>>>>>>
>>>>>> Then, we hopefully have much less to update/worry about in any
>>>>>> other
>>>>>> way when we start touching python-cryptography.
>>>>>>
>>>>>> So who is volunteering to do this? Commenting out all Rust
>>>>>> packages,
>>>>>> then build python-cryptography which will fail as it requires
>>>>>> some
>>>>>> Rust crates. Those will be there so they will only have to be
>>>>>> commented in again. Once the package builds, we should then have
>>>>>> a
>>>>>> couple of packages still commented that we can drop.
>>>>>>
>>>>>>> I think a problem moving forward is that more python modules
>>>>>>> are
>>>>>>> ending up being a combination of python and rust as the
>>>>>>> cryptography and maturin modules have already done. I have also
>>>>>>> seen a lot of rust modules covering the same stuff as covered
>>>>>>> by
>>>>>>> python modules. So the future I think looks like it will
>>>>>>> continue
>>>>>>> to be very frustrating.
>>>>>>
>>>>>> Yes it does, but we will have to find a way whether we want it or
>>>>>> not.
>>>>>>
>>>>>> -Michael
>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Adolf.
>>>>>>>
>>>>>>>
>>>>>>>> All the best,
>>>>>>>> -Michael
>>>>>>>>> On 22 Jan 2026, at 17:38, Stefan Schantl
>>>>>>>>> <stefan.schantl@ipfire.org> wrote:
>>>>>>>>>
>>>>>>>>> Hello list followers,
>>>>>>>>>
>>>>>>>>> I'm currently updating rust and affected modules.
>>>>>>>>>
>>>>>>>>> This happends mainly because I'm trying to fix the
>>>>>>>>> "suricata
>>>>>>>>> cache
>>>>>>>>> grows infinite" problem, which a lot of people are
>>>>>>>>> affected.
>>>>>>>>>
>>>>>>>>> To archive this, I ported the patches from suricata main
>>>>>>>>> development
>>>>>>>>> branch to our used suricata version (8.0.3).
>>>>>>>>>
>>>>>>>>> To perform a full build, a new tool called cbindgen - which
>>>>>>>>> is
>>>>>>>>> a rust
>>>>>>>>> to c bindings generator, is required.
>>>>>>>>>
>>>>>>>>> Sadly this tool is also written in rust and requires some
>>>>>>>>> new
>>>>>>>>> dependencies and a more up to date rust compiler.
>>>>>>>>>
>>>>>>>>> I hope to send a patchset for all this very soon to the
>>>>>>>>> mailing
>>>>>>>>> list.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>>
>>>>>>>>> -Stefan
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Updating rust and eco system
2026-01-27 10:36 ` Michael Tremer
@ 2026-01-27 15:45 ` Adolf Belka
0 siblings, 0 replies; 17+ messages in thread
From: Adolf Belka @ 2026-01-27 15:45 UTC (permalink / raw)
To: Michael Tremer; +Cc: Stefan Schantl, IPFire: Development-List
Hi Michael,
On 27/01/2026 11:36, Michael Tremer wrote:
> Hello Adolf,
>
>> On 26 Jan 2026, at 19:07, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi Michael & Stefan,
>>
>> On 26/01/2026 18:23, Michael Tremer wrote:
>>> Hello Stefan,
>>> Thanks for looking into this.
>>> I would suggest that for the cleanup project, it would be best to keep two versions of rust-syn. Obviously this will inflate the number of packages for now, but actually starting to update and therefore potentially add more dependencies does not sounds wise to me. We would mix up too many changes into one which is never good.
>>
>> I am pretty certain from my work on the python update, which required rust updates, that you will find that you will need two different versions of rust-syn as one rust module will require an older version and another rust module will require a newer version and the two won't overlap. In my work there were even some rust modules where I ended up with the latest version plus two older versions being required.
>
> I hope that at some point someone will be able to explain to me what the benefit is to ship an older version of a crate that will have some bugs that have been fixed in the newer version. And if this is regarding LTS or breaking changes, other libraries totally manage this...
I believe this is due to some packages that use another rust module not having been updated for some time (1 or 2 years) and the module build is linked to the older version of the additional required module.
It might be as simple as a rust module just being updated to use the new other modules or there might be some work to make them work but the original module developer needs to do the update.
I just did a search for option-ext and crates.io came up with 5 results. Th oldest last updated is almost 5 years (works with a 2018 edition of Rust) and the youngest updated is over 1 year ago (works with a 2021 edition of Rust, which is not particularly recent).
Being tied to an older edition of Rust doesn't mean it won't build but it increases the chances of the module needing to be re-written to be updated and work with the latest Rust edition.
Searching for rust modules with the search text of option found 46425 results and on the first page there is one module updated 13 days ago and another that was updated almost 8 years ago.
From my work on adding required rust modules for the python build it is not clear to me that a module developer ensures they are using other up to date rust modules. I think they find they need a rust module and that might be up to date but it might be using other modules that are quite old and that large chain of dependencies can easily end up with requiring different versions of some other modules than another module that also requires the same dependency.
Regards,
Adolf.
>
>>> Please start a list with all those packages that we would have to have a look at once the cleanup has been completed and we will start with updating them. That way we should be able keep this cleaner and hopefully won’t introduce too many new dependencies.
>>> In the end, I guess we will have to run this cleanup more than just this time, because we never know which package has dropped any dependencies. This is however rather unlikely.
>>> Best,
>>> -Michael
>>>> On 26 Jan 2026, at 15:31, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>>>>
>>>> Hello list it's me again,
>>>>
>>>> the build process now reached python-cryptography which requires rust-
>>>> asn1, which requires rust-ans1_derive, which did not build because of a
>>>> to new version of rust-syn.
>>>>
>>>> rust-asn1_derive (0.12.2)
>>>> [ 1 ][ FAIL ]
>>>>
>>>> make: Nothing to be done for 'download'.
>>>> make: Leaving directory '/home/ipfire-2.x/lfs'
>>>> make: Entering directory '/usr/src/lfs'
>>>> toml-0.8.19.tar.gz checksum OK
>>>> make: Nothing to be done for 'install'.
>>>> make: Leaving directory '/usr/src/lfs'
>>>> Jän 26 15:18:59: Building rust-asn1_derive make: Entering directory
>>>> '/home/ipfire-2.x/lfs'
>>>> make: Nothing to be done for 'download'.
>>>> make: Leaving directory '/home/ipfire-2.x/lfs'
>>>> make: Entering directory '/usr/src/lfs'
>>>> asn1_derive-0.12.2.tar.gz checksum OK
>>>> ====================================== Installing asn1_derive-
>>>> 0.12.2 ...
>>>> Install started; saving file list to /usr/src/lsalr ...
>>>> cd /usr/src/asn1_derive-0.12.2 && if [ -f Cargo.toml.orig ]; then \
>>>> rm -f Cargo.toml.orig; \
>>>> fi; \
>>>>
>>>> cd /usr/src/asn1_derive-0.12.2 && mkdir -p /usr/src/asn1_derive-
>>>> 0.12.2/.cargo && echo "${CARGO_CONFIG}" > /usr/src/asn1_derive-
>>>> 0.12.2/.cargo/config && rm -f Cargo.lock
>>>> cd /usr/src/asn1_derive-0.12.2 && CARGOPATH=/usr/src/asn1_derive-
>>>> 0.12.2/.cargo RUSTC_BOOTSTRAP=1 cargo --offline build --release -Z
>>>> avoid-dev-deps -j12
>>>> warning: `/usr/src/asn1_derive-0.12.2/.cargo/config` is deprecated
>>>> in favor of `config.toml`
>>>> |
>>>> = help: if you need to support cargo 1.38 or earlier, you can
>>>> symlink `config` to `config.toml`
>>>> error: failed to select a version for the requirement `syn =
>>>> "^1.0.58"`
>>>> candidate versions found which didn't match: 2.0.114
>>>> location searched: directory source `/usr/share/cargo/registry`
>>>> (which is replacing registry `crates-io`)
>>>> required by package `asn1_derive v0.12.2 (/usr/src/asn1_derive-
>>>> 0.12.2)`
>>>> perhaps a crate was updated and forgotten to be re-vendored?
>>>> As a reminder, you're using offline mode (--offline) which can
>>>> sometimes cause surprising resolution failures, if this error is too
>>>> confusing you may wish to retry without `--offline`.
>>>> make: *** [rust-asn1_derive:78: /usr/src/log/asn1_derive-0.12.2]
>>>> Error 101
>>>> make: Leaving directory '/usr/src/lfs'
>>>>
>>>> ERROR: Building rust-asn1_derive
>>>> [ FAIL ]
>>>> Check /home/ipfire-2.x/log_x86_64/_build.ipfire.log for errors if
>>>> applicable
>>>> [ FAIL ]
>>>> root@localhost:/home/ipfire-2.x#
>>>>
>>>> Currently there is an older version of the rust-syn packaged, which
>>>> would allow me to bypass this issue, but would violence the goal of
>>>> getting rid of unneccessary rust modules.
>>>>
>>>> Theoretically I also could update the asn1_derive crate to the latest
>>>> version but this may break building the next modules.
>>>>
>>>> May this could act as starting point for the python update, where all
>>>> the rust stuff also needs to be touched.....
>>>>
>>>> @Adolf, @Michael what do you think about that?
>>>>
>>>> Thanks in advance,
>>>>
>>>> -Stefan
>>>>
>>>>
>>>>
>>>>> Hello list,
>>>>>
>>>>> currently I'm working on cleaning up the rust packages.
>>>>>
>>>>> For these I disabled all rust modules in the make.sh file and perform
>>>>> a
>>>>> clean build as Michael suggested.
>>>>>
>>>>> At the moment I'm past the stage where "cbindgen" successfully has
>>>>> been
>>>>> build and have 103 rust modules (inlcluding there sub-dependencies)
>>>>> only for this one tool.
>>>>>
>>>>> An additional rust module is required to build suricata. This is
>>>>> because of patching the source code the required rust module is not
>>>>> part of their source tarball.
>>>>>
>>>>> This currently summs to 104 rust modules for the moment.
>>>>>
>>>>> I'm looking forward when python-cryptography kicks in its module
>>>>> whishes....
>>>>>
>>>>> Best regards,
>>>>>
>>>>> -Stefan
>>>>>> Hello Adolf,
>>>>>> Hello Michael,
>>>>>>
>>>>>> I would give the rust cleanup a try in the next few days.
>>>>>>
>>>>>> Adolf may I can ask you to put your current state of the python
>>>>>> update
>>>>>> into a git repositry?
>>
>> As my last work from November last year was not completed and is based on an older status now and also on python3.13 vs the current 3.14, I think it makes more sense that once Stefan has completed the clean up of the rust modules, I then take that as the starting point and go through all my changes as done before until I get to the problem I experience with python-cryptography not being able to find any of the rust modules required by python-maturin. That has always been the point where I got stuck.
>
> Did you try to update python-cryptography first without touching Python and after that try the Python update?
>
>> At that time I will then put that git branch I am working on into my personal IPFire git repo so that the two of you can look at it to see what I am doing wrong at that stage.
>>
>> That way, I can still contribute with all the update steps that I can do but hand it over when it gets to the step that has consistently beat me.
>>
>> Regards,
>>
>> Adolf.
>>
>>
>>>>>>
>>>>>> Thanks in advance,
>>>>>>
>>>>>> -Stefan
>>>>>>
>>>>>>> Hello Adolf,
>>>>>>>
>>>>>>>> On 23 Jan 2026, at 11:06, Adolf Belka <adolf.belka@ipfire.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi Michael,
>>>>>>>>
>>>>>>>> On 23/01/2026 11:31, Michael Tremer wrote:
>>>>>>>>> Hello Stefan,
>>>>>>>>> Hello list,
>>>>>>>>> Thank you for looking at this. Of course it is very important
>>>>>>>>> that we are able to stay on the latest version of Suricata.
>>>>>>>>> I have merged your monster of a patch so that we can move on
>>>>>>>>> for
>>>>>>>>> now, but I have a couple of bigger questions that we all
>>>>>>>>> should
>>>>>>>>> have a look at:
>>>>>>>>> Adolf has in the past spent a lot of time on updating Rust.
>>>>>>>>> This
>>>>>>>>> is all tapping into Python - or rather python-cryptography -
>>>>>>>>> having some Rust code that has further dependencies. In
>>>>>>>>> essence,
>>>>>>>>> it has been a huge headache to update this. Maybe Adolf even
>>>>>>>>> has
>>>>>>>>> some other words for this all.
>>>>>>>>
>>>>>>>> My words on this are that I have now tried multiple times to
>>>>>>>> get
>>>>>>>> a
>>>>>>>> new python update built. Each time I have done it a bit
>>>>>>>> different
>>>>>>>> but the end result has been the same and that is that python-
>>>>>>>> cryptography (which requires rust modules to be built) ends up
>>>>>>>> requiring python-maturin that requires more rust modules but at
>>>>>>>> the
>>>>>>>> end of this the python-cryptography fails to find the built
>>>>>>>> rust
>>>>>>>> modules.
>>>>>>>>
>>>>>>>> I have been stuck at this last point so many times that I have
>>>>>>>> realised that I am finding lots of reasons not to go and work
>>>>>>>> on
>>>>>>>> the python update.
>>>>>>>> That is not a good position and also python has now moved from
>>>>>>>> 3.13
>>>>>>>> to 3.14 so things are moving away from me.
>>>>>>>>
>>>>>>>> I have come to the conclusion that someone else, more capable
>>>>>>>> than
>>>>>>>> me needs to have a go at the python update, so I am giving up
>>>>>>>> on
>>>>>>>> it
>>>>>>>> but will continue working on other things.
>>>>>>>
>>>>>>> Hmm okay, you sound like you are giving up on this :) I know how
>>>>>>> many
>>>>>>> hours (we probably need to measure those in days or even weeks)
>>>>>>> you
>>>>>>> have spent on this though.
>>>>>>>
>>>>>>> Let’s pool resources together and finally get this done.
>>>>>>> Hopefully
>>>>>>> this will be a smoother ride as a combined effort.
>>>>>>>
>>>>>>>>> Just building cbindgen has required a further ~98 Rust crates
>>>>>>>>> to
>>>>>>>>> be packaged. Often we have the same crate in different
>>>>>>>>> versions
>>>>>>>>> because other crates have pinned a specific version. In
>>>>>>>>> total,
>>>>>>>>> we
>>>>>>>>> currently have ~790 packages in IPFire. Out of those, there
>>>>>>>>> are
>>>>>>>>> 202 packages in the rust-* namespace. That is pretty much a
>>>>>>>>> quarter of the distribution. Although not a lot in size, this
>>>>>>>>> is
>>>>>>>>> a considerable maintenance burden.
>>>>>>>>> ClamAV and Suricata have (recently?) started to bundle all
>>>>>>>>> their
>>>>>>>>> Rust dependencies with their release tarballs. Although this
>>>>>>>>> is
>>>>>>>>> not a good thing for many other reasons, it will move the
>>>>>>>>> onus
>>>>>>>>> onto the upstream projects to provide whatever they need. If
>>>>>>>>> their dependencies (and the dependencies of their
>>>>>>>>> dependencies)
>>>>>>>>> explode, this is not really our problem any more as well as
>>>>>>>>> any
>>>>>>>>> supply chain problems. Great - within reason.
>>>>>>>>> That leaves us with only very few packages that would
>>>>>>>>> actually
>>>>>>>>> require any external Rust crates (Suricata is even configured
>>>>>>>>> to
>>>>>>>>> *exclusively* use their bundled crates): cbindgen as a new
>>>>>>>>> thing,
>>>>>>>>> python-cryptography, anything else? We might actually only
>>>>>>>>> need
>>>>>>>>> a
>>>>>>>>> fraction of the Rust crates that we currently have as the
>>>>>>>>> only
>>>>>>>>> packages that may actually tap into our locally built
>>>>>>>>> repository
>>>>>>>>> are only those two.
>>>>>>>>
>>>>>>>> Unfortunately there is the addon oci-python-sdk that uses
>>>>>>>> python-
>>>>>>>> cryptography.
>>>>>>>
>>>>>>> python-cryptography was on my list. oci-python-sdk only uses Rust
>>>>>>> indirectly through python-cryptography, right?
>>>>>>>
>>>>>>>>> Is anyone happy to give this all a try and cleanup any old
>>>>>>>>> Rust
>>>>>>>>> deps? That way, I hope we will have a much smoother ride
>>>>>>>>> moving
>>>>>>>>> forward with a Python update.
>>>>>>>>
>>>>>>>> I can take the current status, before Stefan's patches, and see
>>>>>>>> how
>>>>>>>> many existing rust modules can be removed. Anything that can be
>>>>>>>> removed is a step forward.
>>>>>>>
>>>>>>> Yes, I think we should try to shrink what we have now if that is
>>>>>>> possible at all. As most packages are bundling all Rust deps,
>>>>>>> there
>>>>>>> should be some we won’t need any more in the system.
>>>>>>>
>>>>>>> Then, we hopefully have much less to update/worry about in any
>>>>>>> other
>>>>>>> way when we start touching python-cryptography.
>>>>>>>
>>>>>>> So who is volunteering to do this? Commenting out all Rust
>>>>>>> packages,
>>>>>>> then build python-cryptography which will fail as it requires
>>>>>>> some
>>>>>>> Rust crates. Those will be there so they will only have to be
>>>>>>> commented in again. Once the package builds, we should then have
>>>>>>> a
>>>>>>> couple of packages still commented that we can drop.
>>>>>>>
>>>>>>>> I think a problem moving forward is that more python modules
>>>>>>>> are
>>>>>>>> ending up being a combination of python and rust as the
>>>>>>>> cryptography and maturin modules have already done. I have also
>>>>>>>> seen a lot of rust modules covering the same stuff as covered
>>>>>>>> by
>>>>>>>> python modules. So the future I think looks like it will
>>>>>>>> continue
>>>>>>>> to be very frustrating.
>>>>>>>
>>>>>>> Yes it does, but we will have to find a way whether we want it or
>>>>>>> not.
>>>>>>>
>>>>>>> -Michael
>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Adolf.
>>>>>>>>
>>>>>>>>
>>>>>>>>> All the best,
>>>>>>>>> -Michael
>>>>>>>>>> On 22 Jan 2026, at 17:38, Stefan Schantl
>>>>>>>>>> <stefan.schantl@ipfire.org> wrote:
>>>>>>>>>>
>>>>>>>>>> Hello list followers,
>>>>>>>>>>
>>>>>>>>>> I'm currently updating rust and affected modules.
>>>>>>>>>>
>>>>>>>>>> This happends mainly because I'm trying to fix the
>>>>>>>>>> "suricata
>>>>>>>>>> cache
>>>>>>>>>> grows infinite" problem, which a lot of people are
>>>>>>>>>> affected.
>>>>>>>>>>
>>>>>>>>>> To archive this, I ported the patches from suricata main
>>>>>>>>>> development
>>>>>>>>>> branch to our used suricata version (8.0.3).
>>>>>>>>>>
>>>>>>>>>> To perform a full build, a new tool called cbindgen - which
>>>>>>>>>> is
>>>>>>>>>> a rust
>>>>>>>>>> to c bindings generator, is required.
>>>>>>>>>>
>>>>>>>>>> Sadly this tool is also written in rust and requires some
>>>>>>>>>> new
>>>>>>>>>> dependencies and a more up to date rust compiler.
>>>>>>>>>>
>>>>>>>>>> I hope to send a patchset for all this very soon to the
>>>>>>>>>> mailing
>>>>>>>>>> list.
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>>
>>>>>>>>>> -Stefan
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2026-01-27 15:46 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-22 17:38 Updating rust and eco system Stefan Schantl
2026-01-23 5:26 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Stefan Schantl
2026-01-23 5:26 ` [PATCH 1/3] suricata: Add upstream patch to purge sgh-mpm-caches Stefan Schantl
2026-01-23 5:26 ` [PATCH 2/3] rust: Update to 1.92.0 Stefan Schantl
2026-01-23 10:09 ` [PATCH 0/3] suricata: Add ability to purge the sgh cache Michael Tremer
2026-01-23 10:33 ` Adolf Belka
2026-01-23 10:43 ` Michael Tremer
2026-01-23 10:31 ` Updating rust and eco system Michael Tremer
2026-01-23 11:06 ` Adolf Belka
2026-01-25 14:19 ` Michael Tremer
2026-01-25 17:46 ` Stefan Schantl
[not found] ` <a7484943d784c0a6e2088b2354f08bfbf42658b2.camel@gmx.at>
2026-01-26 13:54 ` Stefan Schantl
2026-01-26 15:31 ` Stefan Schantl
2026-01-26 17:23 ` Michael Tremer
2026-01-26 19:07 ` Adolf Belka
2026-01-27 10:36 ` Michael Tremer
2026-01-27 15:45 ` Adolf Belka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox