RPM 4.20.0 Release Notes

Download

Source: rpm-4.20.0.tar.bz2
SHA256SUM: 56ff7638cff98b56d4a7503ff59bc79f281a6ddffcda0d238c082bedfb5fbe7b

User Interface

The rpmkeys(8) command learned the --list and --delete options.
The rpmsign(8) command learned to sign packages with ECDSA keys.
The rpm2archive(8) utility now supports cpio file format, replacing the implementation of rpm2cpio(8) which is now installed as a symlink to the former.
It’s now possible to ask rpm(8) for JSON-formatted output when doing queries, with the new --json option. This is a more readable alternative to the existing --xml option.
The ${XDG_CONFIG_HOME}/rpm directory is now the preferred location when loading per-user macro configuration (#2153).
A new rpm-plugin-unshare(8) plugin to prevent filesystem and network access in scriptlets by using Linux namespaces(7) (#2632, #2665).

Spec & Package Building

The new BuildSystem directive is now available for declaring which build system is used by the packaged software. With this directive, the sources will be automatically prepared, compiled and installed according to the given build system’s best practices, instead of requiring the packagers to provide the %prep, %build or %install scriptlets themselves. This reduces boilerplate while still allowing packagers to tweak these steps if necessary, such as to conform to the distribution’s guidelines or preferences. Build systems can be registered with RPM by defining a collection of macros. Note that RPM itself will not ship these definitions by itself, this is left to the distributions or build system maintainers. We provide examples for Autotools and CMake, however, which can be used for inspiration. For more details on this feature, see the dedicated page.
Build scriptlets, such as %build, %install or %check, can now be augmented arbitrary number of times by appending or prepending to them with the new -a and -p options. This is particularly handy for tweaking specs that use the new BuildSystem feature described above.
Dynamic spec parts may now include directives and sections that don’t influence the build process itself. If those that do influence the build are used, a proper error message is now printed (#2917).
A per-package build directory that’s fully RPM-controlled is now used and exposed as the new %builddir macro at build time (#2078).
--build-in-place now has clearer and less ambiguous semantics. See the Compatibility Notes below as well as the option’s updated description in rpmbuild(8) for more details.
%autosetup learned the -C option that ensures the sources will be extracted in the root of the build directory (#2664).
A warning is now issued if the number range given to %autopatch doesn’t match any patches. You can suppress it with the -q option (#3093).
Distributions can now override build conditionals (%bcond) system-wide with the new %{bcond_override_default NAME VALUE} macro.
File trigger scripts now receive package count arguments, much like regular triggers (#2755).
File attributes and generators can now be shipped by the same package that uses them, as opposed to having to be distributed separately. For details, see the dedicated page and #782.
A new multi-file protocol allowing for much faster dependency generation is now available. See the dedicated page for details.
brp-strip no longer attempts to process Ruby, Python or Javascript files, making it more efficient and faster, especially in the situations where I/O is expensive.
Better support for reproducible builds. It’s now possible to set a timestamp handling policy with the new macro %build_mtime_policy. Two policies are currently available; one for clamping the timestamps to $SOURCE_DATE_EPOCH (which deprecates and replaces the %clamp_mtime_to_source_date_epoch macro) and one for clamping them to the build time (this is a new feature). Set the macro to clamp_to_source_date_epoch or clamp_to_buildtime to use the respective policy. Additionally, build time is now exposed to build scriptlets via the new $RPM_BUILD_TIME environment variable and can also be overridden manually via the new %_buildtime macro. For more details on these macros, see the dedicated page.
Proper distribution-agnostic debuginfo enablement logic (#2204). Distributions no longer need to override the %install section with a macro in order to inject the %debug_package boilerplate themselves. Debuginfo generation is now handled automatically and properly, and is enabled on Linux by default.
Group membership lines are now supported in sysusers.d(5) files.
The Lua API learned a new rpm.spawn() function that supersedes rpm.execute() and provides more fine-grained control, currently for redirecting stdin, stdout and stderr to given paths (#3192).
Comments (starting with a #) after spec conditionals are now legal syntax. These were originally allowed due to a spec parser bug but in recent versions triggered a build warning (#829).
Indentation is now allowed for spec tags (#2927).

Bug Fixes

Regression: Packages with unsupported usage of the %config flag (e.g. with directories), such as those made with the Gradle plugin, no longer fail to install (#2890).
Regression: Ensure binary and source headers are identified as such in rpmspec(8) queries (#2819).
Regression: Allow for manual debuginfo packaging again (an ancient regression) (#3057).
Regression: Fix dependency generators sometimes dying with SIGPIPE (#2949).
Really allow qualifiers like pre/post/meta for weak dependencies (#624).
Set git commit dates in %autosetup -S git based on $SOURCE_DATE_EPOCH (#9).
Issue a warning when passing arguments to non-parametric macros (#2932).
Fix %quote macro special characters leaking to the outside.
Fix %shescape macro to escape all arguments.
Fix %transfiletriggerpostun only matching on the first prefix, ignoring the rest (#3048).
Fix multiply defined local macros escaping scope (#3056).
Make %dirname and %basename behave like dirname(3) and basename(3) (#2928).
Run build scriptlets with closed stdin to enforce unattended builds.
Always create %specpartsdir on build (#3063).
Let eBPF ELF files be packaged in noarch packages (#2875).
Never use current user info or file ownership during build (#2604).
Ignore non-scriptlet weak dependencies in ordering (#1346).
Automatically load proper platform configuration on BuildArch when --target is not used (#3049).
Ensure rpmbuild(8) cleanup doesn’t fail due to permissions (#2519).
Use UTC timezone when uncompressing zip archives for consistency (#2955).
Multiple fixes to archives created by rpm2archive(8).
Eliminate hardcoded assumptions about gpg(1) in error messages (#3274).

Development & Build System

The plugin API is now public (#1536).
Include dirs are now exported in lib targets as well (#3222).
An .editorconfig file is now provided in the repository (see CONTRIBUTING.md for details).
Python API examples are now provided and installed into ${CMAKE_INSTALL_DOCDIR}.
A new low-level package dump utility is now available at /usr/lib/rpm/rpmdump. Note that this tool is not meant for end users and is lacking documentation at the moment.

API Changes

Added rpmdsIsSysuser() for determining sysusers-dependencies.
Added rpmPushMacroAux(), rpmMacroEntryPriv(), rpmMacroBufAppend(), rpmMacroBufAppendStr() and rpmMacroBufErr() to support auxiliary macros implemented in C.
Added rpmPluginName(), rpmPluginOpts(), rpmPluginSetData(), rpmPluginGetData() and various type definitions and other symbols to support rpm plugin creation (details in rpmplugin.h).
Added a new tag format symbol RPMTD_FORMAT_JSON.
Removed several unused type and struct definitions related to the OpenPGP standard (details in rpmpgp.h).

Internal Cleanup

The %prep section is now implemented as a regular build scriptlet, instead of being treated specially by the spec parser. This fixes #1870 as well as makes the behavior consistent with the other spec sections.
The internal OpenPGP parser has been removed. RPM can now also be built completely without OpenPGP support (i.e. without Sequoia) to allow for easier bootstrapping, see the INSTALL file for details (#2414).
The Python bindings have been ported to the stable Python ABI (#2345).
The Perl dependency generators have been split out of the main repository (#2873).

Compatibility Notes

The %patchN macro syntax (where N is a patch number) is now obsolete and will produce a build error. Use %patch N (or for maximum compatibility, %patch -P N) instead.
Since %prep is now a regular build scriptlet, %setup and %patch are now real macros as well, and are therefore expanded even inside comments. This can lead to unexpected build failures for specs that have these macros commented out but not escaped, for example:
```
#%setup -n foobar
```
This will result in the following error:
```
cd: foobar: No such file or directory
```
To fix this, you must escape the macro properly as documented here, for example:
```
%dnl %setup -n foobar
```
In order to enable debuginfo generation during package builds, distributions have historically been using a hack that overrides the %install section with a macro that injects the %debug_package boilerplate into it. With RPM now gaining native support for debuginfo enablement, this hack is no longer supported (see #2204 for details). Distributions carrying such a macro are now kindly asked to remove it. As an example of what the (now obsoleted) macro might look like, here’s a definition shipped by the redhat-rpm-config package in Fedora 40:
```
%install %{?_enable_debug_packages:%{?buildsubdir:%{debug_package}}}\
%%install\
%{nil}
```
Note that the %__debug_package macro continues to be automatically set to 1 when debuginfo generation is enabled and thus can be relied upon without any changes.
As a result of the clarified semantics of --build-in-place, the %prep stage is now skipped entirely in this mode. This may break existing specs that rely on %prep still applying patches or making additional tweaks to the source tree. To make such specs compatible with RPM 4.20, these post-preparation steps should be moved to the %conf or %build sections.
The %clamp_mtime_to_source_date_epoch macro is now deprecated in favor of %build_mtime_policy set to clamp_to_source_date_epoch.
Non-comment text (i.e. not starting with a #) after spec conditionals is now a build error.
Lua functions posix.fork(), posix.exec(), posix.wait() and rpm.redirect2null() are deprecated. Use rpm.spawn() or rpm.execute() instead.
Python 3.7 (when enabled) is now the minimum build requirement.