RPM 6.0

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Update RPM to the upcoming 6.0 major release.

Owner

• Name: Panu Matilainen
• Email: pmatilai@redhat.com

Current status

• Targeted release: Fedora Linux 43
• Last updated: 2025-02-27
• [<link to devel-announce post will be added by Wrangler> Announced]
• [<will be assigned by the Wrangler> Discussion thread]
• FESCo issue: <will be assigned by the Wrangler>
• Tracker bug: <will be assigned by the Wrangler>
• Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Update RPM to the upcoming 6.0 release for several security improvements.

Note: adopting Fedora to the new v6 package package format is explicitly NOT IN SCOPE for this change. RPM 6.0 in Fedora 43 will ship with v4 package generation as default, regardless of the upstream default.

Feedback

Benefit to Fedora

The major theme in 6.0 is increased security and related improvements:

• enforcing signature checking on by default
• OpenPGP keys are referred to by their fingerprint or full key id where fingerprint not available (compared to the short keyid in previous versions)
• OpenPGP keys can be updated with rpmkeys --import <key> and corresponding API(s)
• support for multiple signatures per package (also an enabler for Post-Quantum signatures later on)
• support for automatic signing on package build (mainly for local use)
• support for signing with Sequoia-sq as an alternative to GnuPG

A less direct benefit is enabling the testing of the new v6 package format in the wider ecosystem.

Last but not least: with the release of 6.0, the RPM 4.x branch will go into a strict maintenance-only mode, there will be no further development on that branch.

Scope

This is the first RPM version to support the new v6 package format, but adopting Fedora to the new package format is explicitly not in scope for this change.

• Proposal owners:
  • Rebase RPM
  • Assist dealing with incompatibilities

• Other developers:
  • Test and report issues
  • Adjust 3rd party software/tools to work with the new formats and defaults where needed
  • Test v6 package behavior with 3rd party software/tools (optional)

• Release engineering: #Releng issue number

• Policies and guidelines: N/A

• Trademark approval: N/A

• Alignment with the Fedora Strategy:

Upgrade/compatibility impact

• Existing package build+install workflows may need to be adjusted due to enforced signature checking being the default.
• 3rd party scripts and tools may need adjusting to the new key addressing format and other signature related output changes.

Early Testing (Optional)

Do you require 'QA Blueprint' support? N

How To Test

Rpm receives a thorough and constant testing via every single package build, system installs and updates, but of particular interest in this release are

• updating previously imported keys
• manipulating the rpm keyring via rpmkeys
• testing the new v6 package format compatibility with 3rd party software (requires building packages with %_rpmformat set to 6)

User Experience

• The most noticeable change is that RPM now refuses to install packages whose signature hasn't been positively verified, whether due to being unsigned, missing key or otherwise. This can be worked around by supplying --nosignature on the command line, or more permanently, changing the %_pkgverify_level macro to the former default of "digest", but these should be only temporary measures, users are encouraged to setup automatic signing for their (local) builds instead.
• Signature and key related output has changed: upper/lower case is followed consistently in related output, and OpenPGP keys are always addressed either by their fingerpring hash or the full keyid, whereas previously a collision prone, short key id was used.
• rpmkeys is now the official tool for manipulating the rpm keyring. Other methods such as manipulating 'gpg-pubkey' pseudo-packages manually are deprecated and should be updated to either the rpmkeys tool or the newly provided keyring APIs.

Dependencies

• The soname does not change so no rebuilds are required for dependencies or otherwise
• There are no dependencies to other Fedora changes.
• This is the first version of rpm built as C++, so rpm gains a runtime dependency on libstdc++.
• Signing with Sequoia additionally requires sequoia-sq >= 1.0, but this is an optional dependency and even then, only for signing packages.

Contingency Plan

• Contingency mechanism: Revert back to RPM 4.20
• Contingency deadline: Beta freeze
• Blocks release? No

Documentation

• The road to RPM 6.0 blog: https://github.com/rpm-software-management/rpm/discussions/3602
• Draft release notes: https://rpm.org/wiki/Releases/6.0.0
• Upstream reference manual: https://rpm-software-management.github.io/rpm/manual/

Release Notes