Wiki - https://fedoraproject.org/wiki/Changes/RPM-6.0 Discussion thread - https://discussion.fedoraproject.org/t/f43-change-proposal-rpm-6-0-system-wide/146855 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Update RPM to the upcoming 6.0 major release. == Owner == * Name: [[User:Pmatilai| Panu Matilainen]] * Email: pmatilai@xxxxxxxxxx == Detailed Description == Update RPM to the upcoming 6.0 release for several security improvements. Note: adopting Fedora to the new v6 package package format is explicitly NOT IN SCOPE for this change. RPM 6.0 in Fedora 43 will ship with v4 package generation as default, regardless of the upstream default. == Feedback == == Benefit to Fedora == The major theme in 6.0 is increased security and related improvements: * enforcing signature checking on by default * OpenPGP keys are referred to by their fingerprint or full key id where fingerprint not available (compared to the short keyid in previous versions) * OpenPGP keys can be updated with `rpmkeys --import <key>` and corresponding API(s) * support for multiple signatures per package (also an enabler for Post-Quantum signatures later on) * support for automatic signing on package build (mainly for local use) * support for signing with Sequoia-sq as an alternative to GnuPG A less direct benefit is enabling the testing of the new v6 package format in the wider ecosystem. Last but not least: with the release of 6.0, the RPM 4.x branch will go into a strict maintenance-only mode, there will be no further development on that branch. == Scope == This is the first RPM version to support the new v6 package format, but adopting Fedora to the new package format is explicitly not in scope for this change. * Proposal owners: ** Rebase RPM ** Assist dealing with incompatibilities * Other developers: ** Test and report issues ** Adjust 3rd party software/tools to work with the new formats and defaults where needed ** Test v6 package behavior with 3rd party software/tools (optional) * Release engineering: [https://pagure.io/releng/issue/12616 #12616] * Policies and guidelines: N/A * Trademark approval: N/A * Alignment with the Fedora Strategy: N/A == Upgrade/compatibility impact == * Existing package build+install workflows may need to be adjusted due to enforced signature checking being the default. * 3rd party scripts and tools may need adjusting to the new key addressing format and other signature related output changes. == Early Testing (Optional) == Do you require 'QA Blueprint' support? N == How To Test == Rpm receives a thorough and constant testing via every single package build, system installs and updates, but of particular interest in this release are * updating previously imported keys * manipulating the rpm keyring via rpmkeys * testing the new v6 package format compatibility with 3rd party software (requires building packages with %_rpmformat set to 6) == User Experience == * The most noticeable change is that RPM now refuses to install packages whose signature hasn't been positively verified, whether due to being unsigned, missing key or otherwise. This can be worked around by supplying `--nosignature` on the command line, or more permanently, changing the `%_pkgverify_level` macro to the former default of `digest`, but these should be only temporary measures, users are encouraged to import necessary keys and/or setup automatic signing for their (local) builds instead. * Signature and key related output has changed: upper/lower case is followed consistently in related output, and OpenPGP keys are always addressed either by their fingerpring hash or the full keyid, whereas previously a collision prone, short key id was used. * `rpmkeys` is now the official tool for manipulating the rpm keyring. Other methods such as manipulating `gpg-pubkey` pseudo-packages manually are deprecated and should be updated to either the rpmkeys tool or the newly provided keyring APIs. == Dependencies == * The soname does not change so no rebuilds are required for dependencies or otherwise * There are no dependencies to other Fedora changes. * This is the first version of rpm built as C++, so rpm gains a runtime dependency on libstdc++. * Signing with Sequoia additionally requires sequoia-sq >= 1.0, but this is an optional dependency and even then, only for signing packages. == Contingency Plan == * Contingency mechanism: Revert back to RPM 4.20 * Contingency deadline: Beta freeze * Blocks release? No == Documentation == * [https://github.com/rpm-software-management/rpm/discussions/3602 The road to RPM 6.0 blog] * [https://rpm.org/wiki/Releases/6.0.0 Draft release notes] (subject to change) * [https://rpm-software-management.github.io/rpm/manual/ Upstream reference manual] == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
