[Rpm-maint] RPM 4.13.0-alpha released

Thierry Vignaud thierry.vignaud at gmail.com
Mon Aug 3 10:19:29 UTC 2015

On 30 July 2015 at 12:18, Thierry Vignaud <thierry.vignaud at gmail.com> wrote:
> rpm-4.13 is stricter about multiple (classic package) triggers:
> "error: line 320: Trigger fired by the same package is already defined
> in spec file: %triggerpostun -- initscripts < 8.88-5"
> This is caused by this which worked fine until now:
> %triggerpostun -- initscripts <= 4.72
> (...)
> %triggerpostun -- initscripts <= 8.38-2
> (...)
> Here I can safely kill very old triggers.
> But there's obviously real cases where we might want to have two
> similar triggers, only differing by the version that trigger it.
> (eg: fixing a 1st issue when upgrading to distro N to N+2, and fixing
> another one when upgrading from distro N+1 to N+2)
> This is due to this commit:
> http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3ae1c414f69a0eddbfecd4341dd27c7a5e90e12a
> This is breaking existing packages
> Why imposing this limit?
> Why would it be OK for file triggers but not for package triggers?
> Do we really want to enforce at rpm level the fact that some distro
> only support upgrading from version N to version N+1?
> I suggest we revert that commit (& adjust http://rpm.org/wiki/Releases/4.13.0)

Also, is there any reason why the following security patches are not
yet integrated?


# Fix race condidition where unchecked data is exposed in the file system
Patch308: rpm-4.12.0.x-CVE-2013-6435.patch
# Add check against malicious CPIO file name size
Patch309: rpm-4.12.0.x-CVE-2014-8118.patch

See you

More information about the Rpm-maint mailing list