From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gLFt15VJKz2xxR for ; Wed, 20 May 2026 15:32:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gLFsy2rQpz2xHN for ; Wed, 20 May 2026 15:32:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gLFsx3P0xzm6; Wed, 20 May 2026 15:32:53 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1779291173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PQCJTUFMKDgSahp3jGVIBm8+UfUTfoAfKA4Vgg2FgKg=; b=4oKALzw62ijXuZ3dQbpOvL8XJSHMAR+z9zlUSVo5Uul0ONsbfC5vvD0e0L7+iBVnP9H3VA bKRUfa97522iQACw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1779291173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PQCJTUFMKDgSahp3jGVIBm8+UfUTfoAfKA4Vgg2FgKg=; b=XO/knqXDoS3HkKjopZlNqAawdZ0pr82/18BavnYTYtwkwfWMr55viVBZ/F24Velov2ZDJI ApHL8hcmMxW0hnZg0KFsVKjjRV5dxPyW5Fq3RP+zN+EgJdaWBtUnIl5FCjSh8UdpeiHTfp qFSWBTl2ozlsc2WlCUlXXMSS/t5Qv4H2OVdaRngNHNcaYRRGH4ahfj1hNFWMEKK6yetGA7 HTrU40KneRErgXGyl6t8TRYu9PdQePKoBb0C7atIb4Zs8LrPYAbrjB1Fo5a0nD7CHXpHEz u2a9gPPkJTAXSB68fn6tJfiKQQ3pKs+bFFoJpKWqzLBw6oPBqAPUBXlyrUheEw== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: Problem with update of nettle to 4.0 From: Michael Tremer In-Reply-To: Date: Wed, 20 May 2026 16:32:52 +0100 Cc: "IPFire: Development-List" Content-Transfer-Encoding: quoted-printable Message-Id: <6AE8ADFC-BBFE-485D-A646-7C9705C0782C@ipfire.org> References: To: Adolf Belka Hello Adolf, Thanks for looking into this. I wasn=E2=80=99t quite aware how outdated we are on squid, so let=E2=80=99= s change that. I checked the code and there are exactly two places where nettle is = being used: * The base64 encoder/decoder = https://git.ipfire.org/?p=3Dthirdparty/squid.git;a=3Dblob;f=3Dinclude/base= 64.h;hb=3D5c1d937d2068e4861f206884cebb02d2958d3563#l13 * Some code to compute MD5 checksums = https://git.ipfire.org/?p=3Dthirdparty/squid.git;a=3Dblob;f=3Dinclude/md5.= h;hb=3D5c1d937d2068e4861f206884cebb02d2958d3563#l13 Both have an alternative implementation, so it is absolutely safe for us = to build squid with --without-nettle. That way we won=E2=80=99t be held = back until they have agreed on a unified API. Let me know if this helps. All the best, -Michael > On 20 May 2026, at 13:47, Adolf Belka wrote: >=20 > Hi all, >=20 > For information. >=20 > A new nettle version has come out. Our old version was 3.10.2 and the = new one is 4.0 >=20 > Unfortunately nettle-4.0 has a new API/ABI and several packages that = use nettle have found that it won't build for them. >=20 > Many of those packages have already issued updated versions that now = work with nettle-4.0 >=20 > That is not the case with squid. Here we have a greater problem. >=20 > Currently we are on squid-6.14 and the current release is squid-7.5. = squid-6.14 fails to build with nettle-4.0 as there are changes in = various variables/parameters. >=20 > squid-7.5 does not yet have any fix for the nettle API/ABI changes. I = did find some discussion on it in the Pull Requests section but there = seems to be some disagreement between various of the squid contributors = which seems to be blocking anything being accepted. It is also not clear = if that pull request would fix the error that I found in my build with = squid-6.14 >=20 > squid has not been updated to the 7.x branch in IPFire because there = were a lot of significant changes in it which would require some = re-write of our web proxy code. >=20 > It is probably worth noting that squid-6.14 stopped getting any = security support in July 2025. >=20 > There also seems to be questions about squid-8.x and if it will have = even more major changes to options. >=20 > squid typically is having a two year cycle on their major branch = changes and so the expectation is that squid-7.x will go EOL somewhere = around July 2027 with squid-8.x having beta status in Feb 2027 and = stable declaration in July 2027 when 7.x is EOL'd >=20 > I will try and see if any other packages we run have any linkage to = nettle. >=20 > Regards, >=20 > Adolf. >=20