RPM 4.17.1 Release Notes

Download information

  • Source: rpm-4.17.1.tar.bz2
  • SHA256SUM: 0c11b793466e7258851ff82bd65c8ffd8c2dbbc70acc869a5d34150549926e5d

Summary of changes from RPM 4.17.0

General bugfixes and enhancements

Command line

  • Fix build summary confusingly mixing warnings and errors in rpmbuild(8)
  • Fix rpmkeys(8) return code on I/O errors
  • Fix --setperms processing recorded symlinks (RhBug:1900662)
  • Fix -q/--query option not visible in --help


  • Fix %_minimize_writes (regression in 4.15.0)
  • Fix ctrl-c during transaction killing scriptlets (regression in 4.17.0)
  • Fix excluded and non-installed files getting considered in file conflicts calculation
  • Fix uncontrolled sqlite WAL growth during large transactions
  • Fix possible priority inversion in ordering code wrt weak dependencies with qualifiers
  • Fix segfault due to missing priority tag

Package building


  • Change %autosetup -S git to do work on a branch
  • Fix individual patch application via %autopatch
  • Fix %changelog parsing affecting caller’s timezone state


  • Add %bcond macro as a nicer way of defining build conditionals
  • Add optional argument for the %verbose macro
  • Fix %{define name body} syntax in specs
  • Fix non-parametric built-in macros (regression in 4.17.0)
  • Fix consistency issues in macro expansion for builtin macros
  • Fix short circuiting of version strings in expressions
  • Protect automatic macros from being redefined and undefined
  • Remove arbitrary macro name minimum length limit (RhBug:1994223)


  • Fix spurious %transfiletriggerpostun execution (RhBug:2023311)
  • Fix OCaml generators to ignore .cmxs files

Buildroot policies

  • Fix kernel modules not being stripped
  • Fix Guile object files being stripped
  • Fix brp-remove-la-files sometimes removing non-libtool files
  • Fix check-buildroot not stopping on errors with grep >= 3.5
  • Fix unwanted network access in check-rpaths-worker (RhBug:2079600)
  • Fix broken output of check-rpaths-worker (RhBug:2019804)

Signatures and keys

  • Add requirement for signature creation time to be unique and hashed
  • Add check for packet CRC length
  • Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521)
  • Fix subkey binding timestamp used for main gpg-pubkey
  • Fix IMA signature lengths assumed constant (RhBug:2018937)
  • Fix IMA installation failure on filesystems without xattr support
  • Fix signature check result on valid header signature but unverifiable payload
  • Fix Ed25519 signature verification using libgcrypt
  • Fix package file descriptor not being closed at sign time

Python bindings

  • Add bindings for rpmfilesFSignature() and rpmfilesVSignature() (.imasig and .veritysig properties in rpm.file objects)
  • Fix ancient Python ts.check() argument order (regression in 4.8.0)

Lua interface

  • Fix scriptlet arguments passed as numbers again (regression in 4.17.0)

Internal improvements and cleanups

  • Add missing deprecation warnings to various public interfaces
  • Add higher limit for maximum array size in header
  • Fix digest context leak in PGP code
  • Fix return value checks and double-frees in OpenSSL code
  • Fix overflow in hashed signature subpacket area
  • Fix rpmdb cookie in FIPS mode by changing it to SHA256
  • Fix memory leak in NDB backend
  • Fix various Lua stack leaks
  • Fix various NULL dereferences
  • Fix various documentation errors

Build process

  • Fix UID_0_USER and UID_0_GROUP values when /etc/passwd not present
  • Fix build on armhf and mipsel

Compatibility notes

  • Clients such as DNF that utilize the rpmdb cookie for the detection of outside rpmdb changes may generate a false positive due to the cookie algorithm change from SHA1 to SHA256.