* Security bug fixes
    - CVE-2025-54389: Escape control characters in report and log output
    - CVE-2025-54409: Fix null pointer dereference after reading incorrectly
                      encoded xattr attributes from database

* Fix race condition when adding new nodes
* Extend expiration dates of GPG key in SECURITY.md
* Define MAGIC constants added since Linux 4.9

* BACKWARDS INCOMPATIBLE CHANGES
    - switch from libmhash to libnettle
    - semantic change of unrestricted negative rules (!<regex>): The
      children and sub-directories of matching directories are no longer
      ignored by default but recursed into and only ignored if they also
      match the regular expression. This makes the behaviour consistent
      with restricted (recursive) negative rules. Use the new non-recursive
      negative rules (-<regex>) to always ignore children and
      sub-directories of matched directories.
    - 'database' config option is no longer supported, use
      'database_in' instead
    - 'summarize_changes' config option is no longer supported, use
      'report_summarize_changes' instead
    - 'grouped' config option is no longer supported, use
      'report_grouped' instead
    - an incomplete written input database is now handled as an error
    - SIGHUP and SIGTERM are no longer ignored
    - SIGINT, SIGTERM or SIGHUP are now handled by removing an incompletely
      written database (if file was created by aide) and exiting aide (code 25)
    - move COMPARE log level before RULE log level
    - switch hashsum in default R group from md5 to sha3_256
    - remove unsupported hashsums (haval, crc32, crc32b, tiger, whirlpool)
    - H default group now contains all compiled in hashsums that are not
      deprecated
    - rules are no longer applied to the database entries but only to the
      file system entries, meaning aide displays files/directories that are
      no longer matched by any rule as removed entries in the report
    - require pthread (remove --without-pthread configure option)
    - remove contrib/ scripts
* Deprecations (to be removed in the release after next):
    - md5 hashsum
    - sha1 hashsum
    - rmd160 hashsum
    - gost hashsum
* Add support for file system type restricted rules (Linux only)
    - add 'fstype' attribute
    - add '--without-fstype' configure option
* Add 'version_ge' boolean operator
* Add limited support for hashsum transitions (see aide.conf(5) for details)
* Add 'sha512_256', sha3_256, and 'sha3_512' hashsums
* Add AIDE_VERSION macro variable
* Add progress bar (add '--no-progress' parameter)
* Add log level 'limit'
* Add colors to log output (add '--no-color' parameter)
* Add '--list' command (to list database in human readable format)
* Add new error codes
    - 24: database error
    - 25: received SIGINT, SIGTERM or SIGHUP signal
* Performance improvements
* Improve error handling
* Improve logging
* Update documentation
* Bug fixes
* Code clean up
* Add more unit tests

* Fix concurrent reading of extended attributes (xattrs)
* Raise warning if both input databases are the same

* Add missing library CFLAGS
* Fix typo in aide.conf manual page
* Fix 64-bit time_t on 32-bit architectures
* Fix debug logging for returned attributes
* Fix condition for error message of failing to open gzipped files

* Update GPG key in SECURITY.md
* Fix double free() during report generation
* Improve handling of ACL errors

* Fix child directory processing on equal match

* Fix handling of extended attributes on symlinks
* Add missing ')' to log message
* Fix static linking of the aide binary
* Don't require database_out for --dry-init
* Remove strerror() calls from thread log messages

Please note:
The fix for extended attributes on symlinks might lead to reported changed entries
during the next AIDE run. You can use the `report_ignore_changed_attrs` option
(see aide.conf(5)) to ignore changes of the xattrs attribute; but be aware that this
will not only exclude the expected changes (of the symlink files) but also the unexpected
changes (of other files).

* Handle readlink() errors

* Add warning if rules contain not compiled-in attributes
* Add missing lock for tree operations during file system scan