RPM 6.0.0

Szerszám

Megjelent a RPM, azaz az RPM Package Manager (korábban Red Hat Package Manager) 6.0.0-s kiadása. Major kiadás, tehát nagy lépékű változásokkal érkezett:

Download

  • Source: rpm-6.0.0.tar.bz2
  • SHA256SUM: 14abb1b944476788d90005d8d61d5d30fce80d9f0de11eb657b14e5c9ef27441

Changes since 4.20.1

Overview

  • Support for both RPM v4 and v6 packages (see Compatibility Notes)
  • Support for multiple OpenPGP signatures per package (#3385)
  • Support for OpenPGP v6 and PQC keys and signatures (#3363)
  • Support for updating previously imported keys (#2577)
  • Support for installing RPM v3 packages has been removed (#1107)
  • RPM defaults to enforcing signature checking (#1573)
  • RPM uses the full key ID or fingerprint to identify OpenPGP keys everywhere (#2403)
  • Man page and other documentation overhaul (#3612, #3669, #3751)
  • Pristine and verifiable release tarballs (#3565) (#2702)

General Use

  • Several enhancements to rpmkeys(8):
    • rpmkeys --import can now be used to update keys (#2577). This also updates the key handle from a short ambiguous key id to full fingerprint.
    • rpmkeys --import now also works from a pipe
    • rpmkeys --export added for exporting keys
    • rpmkeys --checksig, --list, --delete use and expect full fingerprint of the keys (#3360)
    • rpmkeys works identically with all keystore backends
    • rpmkeys --rebuild can be used to rebuild the keystore contents and move between different keystore backends (#3347)
    • rpmkeys key lookup is now case-insensitive
  • Several enhancements to rpmsign(1):
    • rpmsign can use either GnuPG or Sequoia-sq for signing (controlled by %_openpgp_sign macro (gpg or sq))
    • rpmsign --addsign no longer replaces existing signatures. Arbitrary number of signatures can be added on v6 packages by default and on v4 packages, with --rpmv6
    • rpmsign --resign replaces all existing signatures with a new one
  • New query tag extensions (e.g. with --qf <format>):
    • rpmformat for determining package format version (3/4/6)
    • openpgp for managing all supported OpenPGP signature types
  • New query formatter :hashalgo for displaying hash algorithm names
  • New --filemime query alias for querying per-file MIME info
  • Consistent terminology and case usage in signature and key messages
    • OpenPGP signatures are called OpenPGP in output
    • RPM v3 header+payload signatures are called “legacy” in output
  • New feature to calculate a set of configurable digests on verification and safe them in the rpmdb. This can help identifying the originating package file. (RHEL-35619)
  • Fix scriptlet errors not reflected in transaction result code (#2581)
  • Fix %triggerprein and %triggerun not failing the associated install/erase operation (#3815)
  • Fix --hash, --percent and --test not working with --restore (#3917)
  • Fix a segfault and memory leaks in rpmgraph(1) (#3925)
  • Fix rpm2archive(1) using the same suffix for tar and cpio (#3922)
  • Man page overhaul (WIP):
  • Versioned documentation on https://rpm.org/docs/
    • Man pages
    • Reference manual
    • API docs

Packaging

  • rpmbuild(1) now supports generating two different package formats, controlled by %_rpmformat macro value 6/4:
  • rpmbuild(1) can now automatically sign packages if %_openpgp_autosign_id macro is defined (#2678)
  • New command rpm-setup-autosign(1) added for easy auto-signing configuration (#3522)
  • New %{span:...} macro to make defining multi-line macros nicer
  • New %{xdg:...} macro for evaluating XDG base directories
  • Add support for E2K architecture
  • Fix sources and patches stored in reverse order in the header (#3014)
  • Fix Lua rpm.glob() not honoring the c argument (#3794)
  • Fix architecture checking accidentally moved after build (#3569)
  • Fix buildsys specific %prep section not accepted (#3635)
  • Fix check-rpaths brp script when both RPATH and RUNPATH exist (#3667)
  • Fix a memory leak in rpmspec --shell
  • Fix 4.20 regression on rpmbuild -rs failing on non-existent directory (#3682)
  • Fix an extra newline printed on rpm --eval
  • Fix a segfault on invalid dependency generator output in multi mode (#3821)
  • Fix brp-strip-comment-note failure due to a race condition
  • brp-elfperms buildroot policy script was removed (#3195)
  • Drop support for obsolete --nodirtokens rpmbuild(1) switch (#3927)

API Changes

  • New functions related to rpmKeyring:
    • rpmKeyringInitIterator(), rpmKeyringIteratorNext(), rpmKeyringIteratorFree() for iterating over keyring contents
    • rpmKeyringVerifySig2()
    • rpmKeyringLookupKey() for finding a key in a keyring
    • rpmKeyringModify()
  • New functions related to rpmPubkey:
    • rpmPubkeyFingperint(), rpmPubkeyFingerprintAsHex(), rpmPubkeyKeyIDAsHex() and rpmPubkeyArmorWrap() accessors
    • rpmPubkeyMerge() for merging two pubkeys describing the same key
  • New functions for managing transaction permanent keystore:
    • rpmtxnImportPubkey() for importing keys
    • rpmtxnDeletePubkey() for deleting pubkey’s from transaction keystore
    • rpmtxnRebuildKeystore() for rebuilding transaction keystore
  • New flags to control rpmSign() operation added: RPMSIGN_FLAG_RESIGN, RPMSIGN_FLAG_RPMV4, RPMSIGN_FLAG_RPMV6
  • New functions for controlling per-package verification level:
    • rpmteVfyLevel() and rpmteSetVfyLevel()
    • te.VfyLevel() and te.SetVfyLevel() in the Python bindings
  • New identifiers related to multiple signature support added:
    • RPMTAG_OPENPGP rpm tag
    • RPMSIGTAG_OPENPGP signature header tag (alias to RPMTAG_OPENPGP)
    • RPMVSF_NOOPENPGP verification flag
  • New rpm tags: RPMTAG_PAYLOADSIZE, RPMTAG_PAYLOADSIZEALT, RPMTAG_RPMFORMAT, RPMTAG_FILEMIMEINDEX, RPMTAG_MIMEDICT, RPMTAG_FILEMIMES, RPMTAG_SOURCENEVR, RPMTAG_PAYLOADSHA512, RPMTAG_PAYLOADSHA512ALT, RPMTAG_PAYLOADSHA3_256, RPMTAG_PAYLOADSHA3_256ALT, RPMTAG_SHA3_256HEADER
  • Renamed rpm tags:
    • RPMTAG_PAYLOADDIGEST to RPMTAG_PAYLOADSHA256
    • RPMTAG_PAYLOADDIGESTALT to RPMTAG_PAYLOADSHA256ALT
    • RPMTAG_PAYLOADDIGESTALGO to RPMTAG_PAYLOADSHA256ALGO (obsolete)
  • New identifiers related to SHA-3 added: RPM_HASH_SHA3_256, RPM_HASH_SHA3_512
  • New symbols related to MIME types in v6 packages:
    • rpmfilesFMime(), rpmfiFMime() for retrieving per-file MIME info
    • RPMFI_NOFILEMIME flag to control behavior
  • New OpenPGP identifiers related to RFC-9580 added
  • New pgpDigParamsSalt() function retrieving OpenPGP v6 signature pre-salt (#3846)
  • New rpmDigestBundleUpdateID() function for updating individual ID’s in a digest bundle (#3845)
  • rpmtsAddInstallElement() returns 3 on unsupported package format
  • fdSize() returns an error on non-regular files

Internal Improvements

  • RPM is now built as C++20 code (except for plugins and Python bindings)
    • More background available in the initial announcement
    • All relevant sources have been renamed to .cc or .hh extension
    • Many dynamic data structures moved to STL and other similar refactorings
  • Numerous improvements to the test-suite
    • Simplify test creation
  • Add an actual keystore abstraction
  • New openpgp.cert.d based keystore (experimental) (#3341)
  • New make site build target for easy local rendering of documentation
  • Make reference counting atomic throughout the codebase
  • Make the test-suite image toolbox(1) ready
  • Support underscores in RPMTAG names
  • Fix 4.20 regression signature size reservation not being used (#3768)
  • Fix alternatives mechanism unintentionally kicking in for signatures (#3872)
  • Fix keystore reads lacking transaction lock
  • Fix a race condition in rpmioMkpath() (#3508)
  • Fix recursion depth for macro error message (#3197)
  • Fix empty password field in passwd/group causing entry to be ignored (#3594)
  • Fix built-in macros not usable before loading macro files (#3638)
  • Fix fdSize() failure handling in rpmSign()
  • Fix pseudo-tags without an associated type showing up in –querytags
  • Fix rpm install prefix not honored in the legacy find-provides and find-requires dependency generator scripts
  • Fix Python reference leaks related to archive handling
  • Fix non-deterministic storage of dependency information in packages (#1056)
  • Fix sysusers script escaping chroot for u! entires
  • Fix RPM 4.19 regression on failed update return code (#3718)
  • Issue a warning on macrofiles entry in an rpmrc (#3901)
  • Recreate the transaction lock file after --rebuilddb (#3886)
  • Drop gpg(keyid) provides from gpg-pubkey headers (#3360)
  • Eliminate various internal symbols accidentally leaking to the ABI
  • Eliminate uses of non-portable signal(2) API (#3688)
  • Optimize rpmlog() locking
  • Python bindings:
    • Support Python module isolation (RhBug:2327289)
    • Fix some resource leaks, run tests with ASAN

Building RPM

  • A C++20 compiler is now required in addition to a C99 compiler, but C++20 modules support is not required.
  • rpm-sequoia >= 1.9.0 is now required for building with Sequoia (default)
  • Python >= 3.10 is now required for building the Python bindings
  • scdoc man page generator is now required for building RPM
  • Pre-built API documentation is no longer shipped in the release tarballs. Building it is optional, but Doxygen is required for doing so. Pre-built API documentation for all releases can be found in https://ftp.rpm.org/api/

Compatibility Notes

Package format
  • New RPM v6 package format
    • All file sizes and related limits are 64bit
    • Crypto modernization
      • Obsolete crypto (MD5 and SHA1) dropped
      • SHA3-256 header digest added (#3797)
      • SHA512 and SHA3-256 payload digests added (#3642, #3894)
    • Per-file MIME info
    • Widely compatible with RPM >= 4.14
    • The “external” dependency generator mode no longer supported with v6 packages (#2373)
    • rpmlib() dependencies for pre-4.6 features removed to reduce clutter (#3854)
    • Can be queried with RPM >= 4.6
    • Can be unpacked with RPM >= 4.12
    • Can be verified and installed with RPM >= 4.14 (with caveats/limitations)
  • RPM v4 packages:
    • Built packages are identical to those generated by RPM 4.x versions
    • Remain fully supported
    • In the default configuration, packages built with RPM < 4.14.0 cannot be verified due to their use of weak, obsolete MD5 and SHA1 digests. For strongly signed packages, this can be worked around by changing %_pkgverify_level to signature so the weak digests are simply ignored. If verifying the weak digests is necessary, the RPM 4.x behavior can be restored by setting %_pkgverify_flags to 0.
  • Support for installing RPM v3 packages has been removed. (#1107) They can still be queried and also unpacked with rpm2cpio(1).
  • RPM defaults to building v6 packages, this can be changed with the %_rpmformat macro.
  • Lua posix.fork() family of calls, deprecated in 4.20, is disabled in packages built with RPM >= 6.0. They continue to function in packages built by RPM <= 4.20 however.
Other
  • Package signing key configuration differs from the past. To support other implementations besides GnuPG, the signer ID is now set via %_openpgp_sign_id macro, which defaults to %{?_gpg_name} for backwards compatibility.
  • The low-level package signing macros are now parametric, any custom %__gpg_sign_cmd overrides will simply not work as such. Users are encouraged to look into dropping such overrides rather than just updating, most such overrides haven’t been necessary in a long time.
  • %_passwd_path and %_group_path are now treated as colon separated paths to allow using multiple files as the source of NSS information (e.g. with nss-altfiles)
  • --pkgid and --hdrid query CLI-switches have been dropped (#2633)