From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gLGQd4nK4z2xxR for ; Wed, 20 May 2026 15:57:45 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gLGQQ6yCHz2xLm for ; Wed, 20 May 2026 15:57:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gLGQP6fNWz14d; Wed, 20 May 2026 15:57:33 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1779292654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FlJFvlFfqqk2E3FsMHcaoTMYm6R0snbMTfK0o+uAPb4=; b=Fe5HGvWvGzmBm/wkyneYXbJY4lMO0CmRJ9XDzJKTK1u+DXpWNG+ETfYTXdM18Xn9OConLu P5iA+BCkQY3jAoAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1779292654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FlJFvlFfqqk2E3FsMHcaoTMYm6R0snbMTfK0o+uAPb4=; b=ZBI5R3JOmZq9434rz8pUPjbaf0o5Zr6b6T7VGP1ZnUH655XraVLmZAxMrC5EKuWe4mVjFR gGZBzMt3OmRce4DLJLySk/8sR0eUsZXIFg61nof0s/vkLGd1ubt6oIdSueqKe/qkF9xnMj BeYSFaJijHB7eADMLvsKXk1t6/EbO56HnnjBXD5MIhsGj5d5/8ENxh/mIpo9NgFz5R1whr +Iokt3x0qeWZlPP9kp9b4KD+hyqDcNJuWEtalDr9asEELetOtSjm/jQnqS5sz5nAOWWQYV eLT8O2tl2TZrk7cKHBOX9HxYWst8AQ09RAMfkYEo9rXhphgZABFBPhXXVLQ6rw== Message-ID: Date: Wed, 20 May 2026 17:57:25 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: Problem with update of nettle to 4.0 To: Michael Tremer Cc: "IPFire: Development-List" References: <6AE8ADFC-BBFE-485D-A646-7C9705C0782C@ipfire.org> Content-Language: en-GB From: Adolf Belka In-Reply-To: <6AE8ADFC-BBFE-485D-A646-7C9705C0782C@ipfire.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Michael, On 20/05/2026 17:32, Michael Tremer wrote: > Hello Adolf, > > Thanks for looking into this. > > I wasn’t quite aware how outdated we are on squid, so let’s change that. I think Matthias looked at updating squid from the 6.x to 7.x branch but felt uncomfortable with how to deal with some of the changes in that new branch. Maybe we can both have a try and see what happens. Check if we can we make it work as expected. I will look back at the previous email chain on the discussion on moving to squid-7.x > > I checked the code and there are exactly two places where nettle is being used: > > * The base64 encoder/decoder > https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13 > > * Some code to compute MD5 checksums > https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13 This was the bit where the build failed as it could not find MD5_DIGEST_SIZE. It could be that the base64 encoder/decoder might have been next in line. > > Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API. > > Let me know if this helps. I will try it and see. Everything before the squid build had no problems with nettle-4.0, I just need to see if there is anything still to come in the build tree. I will look at it when/if it comes. Regards, Adolf. > > All the best, > -Michael > >> On 20 May 2026, at 13:47, Adolf Belka wrote: >> >> Hi all, >> >> For information. >> >> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0 >> >> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them. >> >> Many of those packages have already issued updated versions that now work with nettle-4.0 >> >> That is not the case with squid. Here we have a greater problem. >> >> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters. >> >> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14 >> >> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code. >> >> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025. >> >> There also seems to be questions about squid-8.x and if it will have even more major changes to options. >> >> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd >> >> I will try and see if any other packages we run have any linkage to nettle. >> >> Regards, >> >> Adolf. >> >