Red Hat Summit22.3. Notable changes to RPM
Red Hat Enterprise Linux 10 is distributed with RPM version 4.19. This version introduces many enhancements over its previous versions.
22.3.1. Improved user experience and security
A new OpenPGP backend based on Sequoia
RPM now uses Sequoia PGP for the verification of package signatures, which replaces the legacy OpenPGP parser. Sequoia PGP is a modern, Rust-based implementation of the OpenPGP standard that focuses on safety and robustness.
Major updates to cryptography
RHEL 10.1 introduces the following updates to RPM cryptography, which provide major security enhancements to signing and verifying RPM packages:
- Support for multiple signatures in a package
- Support for the new OpenPGP (RFC-9580) standard
- Support for post-quantum cryptography (PQC) in RPM packages. PQC is a set of algorithms that should withstand the attacks of quantum computers, enhancing software security. To sign a package with PQC algorithms, you can use Sequoia PGP software.
For more information, see Signing RPM packages with Sequoia PGP by using PQC.
rpmsign --addsign no longer replaces existing signatures in an RPM package
Before this update the rpmsign --addsign command replaced any existing signatures in an RPM package. Starting from RHEL 10.1, rpmsign --addsign only adds new signatures and never deletes any. If an identical signature is already present in a package, RPM prints an error message and keeps the existing signature untouched.
For more information, see Signing RPM packages with Sequoia PGP by using PQC.
A new rpmlua command-line tool
This tool runs the RPM Lua interpreter in a standalone way that you can use for the development and testing of Lua scriptlets and macros. For more information, see the rpmlua(8) man page on your system.
A new rpmsort command-line tool
This tool allows you to sort RPM versions passed on standard input, similar to sort(1) but with the awareness of RPM versioning scheme. For more information, see the rpmsort(8) man page on your system.
A new dbus-announce plug-in
This plug-in writes basic information about RPM transactions to the system D-Bus, for example, when packages are installed or removed. Other programs can subscribe to these signals to be notified of such events.
Downgrade support in --freshen mode
Previously, you could use the --freshen option only to upgrade packages that were already installed and skip packages that were not installed. With this enhancement, you can also use this operation to downgrade such packages. To do this, combine the --freshen (F) option with the --oldpackage option.
22.3.2. Improved packaging experience
Support for dynamic spec generation
You can now add subpackages during the build process by placing files containing spec parts into a predefined location. For more information, see Dynamic Spec Generation.
A new --shell option in the rpmspec command-line tool
This option runs an interactive RPM macro interpreter that you can use for the development and testing of RPM macros, either in or outside of the context of a spec file. For more information, see the rpmspec(8) man page on your system.
Support for applying individual patches in %autopatch
You can now list specific patch numbers as positional arguments, for example, %autopatch 1 4 6 to apply patch numbers 1, 4 and 6.
Proper shell-like globbing and escaping in the %files section
Wildcard patterns and escaping characters, such as backslashes and quotes, in filenames are now interpreted in a more conventional way, mirroring the behavior of shell interpreters such as Bash. Previously, undocumented limitations and exceptions to these rules could have unexpected results and could prevent the use of more complex patterns in the %files section of a spec file.
A new tag in source RPM packages containing the parsed and expanded contents of the spec file
To help with analyzing packaging issues, a new RPMTAG_SPEC tag is now added to source RPM packages. This tag includes the contents of the expanded spec file in the form used during the build. You can view this tag by executing the rpm --qf ‘%{spec}’ -q /path/to/my/src.rpm command.
Build parallelism now considers system resources
RPM now considers the available physical memory and address space when estimating the number of parallel processes and threads to use when building packages. This helps to prevent performance issues or build failures on systems with constrained resources, such as systems with a large number of CPUs but a limited amount of memory.
You can adjust these estimates by specifying the amount of memory a single process or thread is assumed to require for your build by defining the %_smp_tasksize_proc and %_smp_tasksize_thread macros, respectively. Both macros have the default value of 512 MB. For example, if your system has performance issues, you can increase these values for RPM to allocate fewer CPUs for the build. Likewise, if your system is underutilized, you can decrease these values for RPM to allocate more CPUs.
For more information, see Macros for controlling build parallelism.
Payload compression with zstd now supports multi-threading
The zstdio compression method now accepts an optional T parameter that specifies the number of threads to use when compressing payload during the build. This can help reduce the build time of large packages. To enable this feature, set the %_binary_payload and %_source_payload macros accordingly. For more information, see the associated comment block in the /usr/lib/rpm/macros file and the expected format table.
A new optional %conf spec file section
You can use this section to configure the unpacked sources for building instead of configuring them in the %prep or %build sections of a spec file.
Lua-native macro integration
The embedded Lua interpreter has been updated to include the following enhancements:
Easy access to options and arguments through Lua tables
Previously, you had to use the
rpm.expand()function to access the options and arguments of parametric Lua macros. With this enhancement, these macros receive their options and arguments as theoptandarglocal tables, respectively.Simplified access to macros
Macros can now be accessed through the
macrostable in the global Lua environment. This table can also be used to call parametric macros, including all built-in macros.New bindings for RPM version objects and I/O streams
You can now create objects from RPM version strings by using the new
rpm.ver()function. You can use these objects to perform the following actions:-
Obtain the individual pre-parsed EVR components through the
e,v, andrfields, respectively. - Compare RPM version strings to each other.
You can also use the new
rpm.open()function to open file streams that use RPM’s I/O features, such as transparent compression and decompression.-
Obtain the individual pre-parsed EVR components through the
For more information, see Lua in RPM.
New macros for convenient string operations implemented in Lua
You can now perform basic string operations, such as extracting a substring or obtaining the length, directly by using RPM macros, without having to execute shell subprocesses. For more information, see String operations.
Unified calling conventions for built-in and user-defined macros
The %foo arg, %{foo arg}, and %{foo:arg} notations used for calling macros are now equivalent. Note, however, that there might still be minor exceptions and differences.
Multiple new built-in macros
Multiple new built-in macros are now available, most notably:
-
%{rpmversion}for obtaining the version of RPM installed on the system. -
%{exists:…}for testing a file’s existence. -
%{shescape:…}for encompassing a string in single quotes ('') for use in a shell command that expects a single argument.
New %preuntrans and %postuntrans scriptlets
The %preuntrans and %postuntrans uninstall-time scriptlets complement the existing install-time %pretrans and %posttrans scriptlets:
-
%preuntransscriptlets are executed before a transaction for packages that this transaction will remove. -
%postuntransscriptlets are executed after a transaction for packages that this transaction removed.
Support for signing packages with Sequoia PGP is available as a Technology Preview
The macros.rpmsign-sequoia macro file that configures RPM to use Sequoia PGP instead of GnuPG for signing packages is now available as a Technology Preview. To enable its usage, perform the following steps:
Install the following packages:
# dnf install rpm-sign sequoia-sqCopy the
macros.rpmsign-sequoiafile to the/etc/rpm/directory:$ cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/
22.3.3. Other notable changes
User and group name resolution is now strictly local
When installing packages, RPM now obtains the information about users and groups from the passwd(5) and group(5) files on the local system, respectively, as opposed to using the Name Service Switch (NSS).
When building packages, the %defattr directive now interprets the dash (-) placeholder for the user and group attributes as root, instead of obtaining the information about the actual ownership from disk. Similarly, files in source RPM packages, such as spec files, source archives, or patch files, are now always owned by the root user and group, regardless of their ownership on disk.
The build tree (%_builddir) is now removed by default after a successful build
Previously, rpmbuild(8) only cleaned up the build directory in the --rebuild mode, not in the more commonly used modes, such as -bb. Consequently, multiple packages being built caused the unnecessary accumulation of files over time. With this enhancement, if you prefer to always keep the build tree, for example, to investigate a non-fatal build issue, you can use the --noclean option.
The %patch directive must now explicitly specify the patch numbers to apply
You can specify the patch number either of the following ways:
-
By using the
-Poption, for example,%patch -P1 -P2to apply patch numbers 1 and 2. -
By passing the patch numbers as positional arguments, for example,
%patch 1 2to apply patch numbers 1 and 2.
The %patchN syntax, where N is the patch number to apply, is now deprecated.
If no explicit patch number is specified with the %patch directive, the build terminates with an error.
It is recommended that you use the %autosetup macro whenever possible, instead of applying the individual patches manually with the %patch directive. When you use %autosetup, patches are applied automatically in the order identified by their patch numbers. As a result, the spec file is easier to read and maintain. For more information, see Automating patch application.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}