RPM 4.18.0 Release Notes

Download information

  • Source: rpm-4.18.0.tar.bz2
  • SHA256SUM: 2a17152d7187ab30edf2c2fb586463bdf6388de7b5837480955659e5e9054554

Summary of changes from RPM 4.17.x

General bugfixes and enhancements

  • Add a new Sequoia-based OpenPGP backend (#1978)
  • Documentation updates
    • Lua extensions, examples
    • Typos, grammar, clarifications, presentation improvements
    • Bring install-order documentation to this millenium
    • Drop some misleadingly outdated docs
    • Translation updates

Command line

  • Fix --restore to properly honor file states and all (#965)
  • Fix --setperms processing recorded symlinks (RhBug:1900662)
  • Fix rpmkeys return code on I/O errors
  • Fix --showrc to return an error code on broken rc and macro files (#1796)
  • Fix mismatch between rpmspec -q --srpm and rpmbuild -bs architecture (#1116)
  • Fix --short-circuit for (dynamic) buildrequires checking
  • Fix -q/--query option not visible in --help (#1473)
  • Fix query arguments containing ^ not working (#2104)
  • Fix various dark corners in rpm2cpio.sh (RhBug:2115206)
  • Add downgrade (--oldpackage) support to --freshen (#652)
  • Add --path query for support for stateless file information (RhBug:1940895)
  • Add rpmlua command for running rpm’s embedded Lua interpreter standalone, with command history and support for iLua
  • Add --shell option for interactive macro shell to rpmspec
  • Add --justdb counterpart --nodb option and matching API flag
  • Add -bd, -td and -rd switches to rpmbuild for checking build dependencies
  • Add available database backends to --showrc output


  • Fix intermediate symlinks not verified (CVE-2021-35939)
  • Fix unowned directories created unsafely
  • Fix spurious %transfiletriggerpostun execution (RhBug:2023311)
  • Fix %_minimize_writes regression (in 4.15.0)
  • Fix possible priority inversion in ordering code wrt weak dependencies with qualifiers
  • Fix ctrl-c during transaction killing scriptlets (regression in 4.17.0)
  • Fix excluded and non-installed files getting considered in file conflicts calculation
  • Fix uncontrolled sqlite WAL growth during large transactions
  • Fix %posttrans argument on upgrade

Package building


  • Fix mismatch between package name and provides/obsoletes rules (#1694)
  • Fix check-buildroot not stopping on errors with grep >= 3.5 (#1968)
  • Fix build summary confusingly mixing warnings and errors (#793)
  • Fix %patch 1 applying patches 0 and 1
  • Fix package build tree not getting removed on successful build
  • Fix .gemspec from %setup not getting removed on %clean
  • Fix %setup and %patch not getting expanded in rpmspec –parse (#2048)
  • Fix missing quotes on %sources and %patches (#1445)
  • Add new SourceLicense tag for specifying a source license different from the binary license (#2079)
  • Add new %conf spec section for build configuration (#1086)
  • Add %bcond macro as a nicer way of defining build conditionals (#941)
  • Add an optional “override clock” from SOURCE_DATE_EPOCH environment to support deterministic timestamps inside OS images
  • Add support for qualifiers (eg pre, post…) for weak dependencies
  • Add support for zstd long distance matching compression (L<n> io flag)
  • Add warning if %source_date_epoch_from_changelog set but changelog missing
  • Add new rpmuncompress cli tool which handles extraction of sources and uncompress of patches in %setup and %patch pseudomacros.
  • Add new informational UpstreamReleases and TranslationURL tags
  • Add parsed and expanded spec to src.rpm header as Spec tag
  • Make %{buildsubdir} settable outside %setup
  • Deprecate implicit “%patch number zero” syntax


  • Fix individual patch application via %autopatch (#1766)
  • Fix consistency issues in macro expansion for builtin macros
  • Fix %{define name body} syntax in specs
  • Fix non-parametric built-in macros (regression in 4.17.0)
  • Fix short-circuiting of version strings in expressions (#1883)
  • Add %{shescape:...} macro for single quoting and escapes for the shell
  • Add optional argument for the %verbose macro
  • Add support for multiple arguments in %{quote}
  • Add support for Lua functions in expressions (eg %[lua:string.reverse("hello")])
  • Drop arbitrary macro name minimum length limit (RhBug:1994223)
  • Protect automatic macros from being redefined and undefined

Buildroot policies

  • Fix handling of filenames with spaces in brp-compress
  • Fix Guile object files getting stripped (#1765)
  • Fix brp-strip-comment-note running only serially
  • Fix brp-remove-la-files sometimes removing non-libtool files
  • Fix unwanted network access in check-rpaths helper script (RhBug:2079600)


  • Fix OCaml generators to ignore cmxs files
  • Add a provides generator for rpm macros

Signatures and keys

  • Fix signature check result on valid header signature but unverifiable payload
  • Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521)
  • Fix Ed25519 signature verification with libgcrypt
  • Fix subkeys not capable of signing accepted for verification (#1911)
  • Fix signing of packages unusual filenames
  • Fix subkey binding timestamp used for main gpg-pubkey (#2004)
  • Add support for –import in fs keyring
  • Add support for linting keys on import (Sequoia backend only)


  • Fix IMA causing install failure on filesystems without xattr support
  • Add file descriptor argument to file-prepare hook
  • Revert file-pre, file-prepare and file-post hook execution to their pre-4.17.0 positions

Python bindings

  • Fix ancient Python ts.check() argument order regression (#1871, in 4.8.0)
  • Add bindings for rpmfilesFSignature() and rpmfilesVSignature() (.imasig and .veritysig properties in rpm.file objects)
  • Drop experimental and internal _build method from from the spec bindings

Lua interface

  • Fix relocation info not available in Lua scriptlets (#1531)
  • Fix scriptlet arguments passed as numbers again (regression in 4.17.0)
  • Fix off-by-one in rpm.call()
  • Fix newline behavior in interactive mode
  • Fix rpm.next_file() to be usable only inside scriptlets with input
  • Fix rpm.vercmp() error message on second argument (#2165)
  • Add rpm.splitargs() and rpm.unsplitargs() functions for macro argument processing
  • Add auto-print of returned values from macros
  • Drop defunct and unused rex extension

API changes

Added APIs

  • rpmtsAddRestoreElement(), rpmRestore() for --restore
  • rreallocn(), similar to glibc’s reallocarray()
  • rpmhex() for hex-enconding binary data

Changed APIs

  • Fix database open hijacking normal signal handling
  • Fix rpmfiSetFX() return code to be meaningful
  • Fix pgpPubkeyFingerprint() to do something meaningful again
  • Add new PGP-independent set of hash algorithm symbols (#1899)
  • Various generic crypto APIs moved from rpmpgp.h to rpmcrypto.h header
  • Disable and obsolete rpmfiSetDX(), rpmfiInitD() and rpmfiNextD()

Removed APIs

  • N/A

Internal improvements and cleanups

  • Fix IMA signature lengths assumed constant (#1833, RhBug:2018937)
  • Fix various leaks and other findings from static analyzers
  • Fix various correctness and safety issues in the OpenPGP parser
  • Fix rpmdb cookie in FIPS mode by changing it to SHA256
  • Fix pgpDigParams to be properly opaque
  • Fix rpmio stats spew in stderr (#1987)
  • Fix changelog parsing affecting caller timezone state (#1821)
  • Add an artificial limit of 1M to header array sizes
  • Add support for loongarch64 architecture
  • Add ARCHSUFFIX extension tag
  • Optimize C source file classification
  • Drop support for undocumented keyid based import over the net
  • Various code cleanups to macro engine and Lua extensions
  • Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)
  • Various fixes and cleanups to hardlink handling
  • Physically separate public and private headers in the codebase

Build process

  • Require POSIX.1-2008 level operating system for the openat() family of APIs
  • Fix Doxygen deprecation warnings
  • Fix UID_0_USER and UID_0_GROUP values when /etc/passwd not present (#1838)
  • Fix out of tree build regression wrt man page generation (#1851)
  • Fix stat64 build on Apple Big Sur (#1752)
  • Fix build on armhf and mipsel
  • Fix db backend default as per availability
  • Fix signing tests assuming gpg default to sha256 hash algo
  • Fix test-suite relying on deprecated distutils
  • Fix warnings from autotools >= 2.70 (#1785)
  • Fix make ci in a VPATH build
  • Add option to disable libelf dependency (--enable/--disable-libelf)
  • Add multiple new test-cases
  • Update minimum required gettext version to 0.19.8
  • Update CI to Fedora 36

Compatibility notes