Hello Stefan, Hello list, Thank you for looking at this. Of course it is very important that we are able to stay on the latest version of Suricata.
I have merged your monster of a patch so that we can move on for now, but I have a couple of bigger questions that we all should have a look at: Adolf has in the past spent a lot of time on updating Rust. This is all tapping into Python - or rather python-cryptography - having some Rust code that has further dependencies. In essence, it has been a huge headache to update this. Maybe Adolf even has some other words for this all. Just building cbindgen has required a further ~98 Rust crates to be packaged. Often we have the same crate in different versions because other crates have pinned a specific version. In total, we currently have ~790 packages in IPFire. Out of those, there are 202 packages in the rust-* namespace. That is pretty much a quarter of the distribution. Although not a lot in size, this is a considerable maintenance burden. ClamAV and Suricata have (recently?) started to bundle all their Rust dependencies with their release tarballs. Although this is not a good thing for many other reasons, it will move the onus onto the upstream projects to provide whatever they need. If their dependencies (and the dependencies of their dependencies) explode, this is not really our problem any more as well as any supply chain problems. Great - within reason. That leaves us with only very few packages that would actually require any external Rust crates (Suricata is even configured to *exclusively* use their bundled crates): cbindgen as a new thing, python-cryptography, anything else? We might actually only need a fraction of the Rust crates that we currently have as the only packages that may actually tap into our locally built repository are only those two. Is anyone happy to give this all a try and cleanup any old Rust deps? That way, I hope we will have a much smoother ride moving forward with a Python update. All the best, -Michael > On 22 Jan 2026, at 17:38, Stefan Schantl <[email protected]> wrote: > > Hello list followers, > > I'm currently updating rust and affected modules. > > This happends mainly because I'm trying to fix the "suricata cache > grows infinite" problem, which a lot of people are affected. > > To archive this, I ported the patches from suricata main development > branch to our used suricata version (8.0.3). > > To perform a full build, a new tool called cbindgen - which is a rust > to c bindings generator, is required. > > Sadly this tool is also written in rust and requires some new > dependencies and a more up to date rust compiler. > > I hope to send a patchset for all this very soon to the mailing list. > > Best regards, > > -Stefan > >
