Re: Problem with update of nettle to 4.0

[Michael Tremer <michael.tremer@ipfire.org>]

Hello Adolf,

Thanks for looking into this.

I wasn’t quite aware how outdated we are on squid, so let’s change that.

I checked the code and there are exactly two places where nettle is being used:

  * The base64 encoder/decoder
    https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13

  * Some code to compute MD5 checksums
    https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13

Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.

Let me know if this helps.

All the best,
-Michael

> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi all,
> 
> For information.
> 
> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
> 
> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
> 
> Many of those packages have already issued updated versions that now work with nettle-4.0
> 
> That is not the case with squid. Here we have a greater problem.
> 
> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
> 
> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
> 
> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
> 
> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
> 
> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
> 
> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
> 
> I will try and see if any other packages we run have any linkage to nettle.
> 
> Regards,
> 
> Adolf.
>