[Rpm-announce] RPM 6.0.0 released!
Panu Matilainen
pmatilai at redhat.com
Mon Sep 22 12:43:12 UTC 2025
It's been a long time coming. I think many didn't believe it would come
at all.
The RPM v4 format turns 25 this year. In this world of mad dash
quarterly economics, a quarter of a century is an eternity, and I think
we can conclude the format has proven flexible and all things
considered, has served us rather well.
It's also safe to say that a new format is long overdue by now. What was
considered state of the art security in 2000 is either long obsolete
and/or considered insecure practises, and that's really the main story
behind RPM 6.0 and the new v6 format:
* Support for multiple OpenPGP signatures per package (#3385)
* Support for OpenPGP v6 and PQC keys and signatures (#3363)
* Support for updating previously imported keys (#2577)
* Support for both RPM v4 and v6 packages
* Support for installing RPM v3 packages has been removed (#1107)
* RPM defaults to enforcing signature checking (#1573)
* RPM uses the full key ID or fingerprint to identify OpenPGP keys
everywhere (#2403)
* Man page and other documentation overhaul (#3612, #3669, #3751)
* Pristine and verifiable release tarballs (#3565) (#2702)
That's what is truly new in 6.0, but that's just the icing on the cake.
For the full picture one needs to look at the past ~20 years of
development. We have been working towards this day since the rpm.org
reboot around 2007, although that realization only really struck in the
last few years. Think 64bit file size support, drop-in dependency
generators, transaction plugins, rich dependencies, file triggers,
debuginfo improvements, new database backends, Lua and expression macro
integration, dynamic build-requires and spec generation, user/group
support, declarative buildsystems and whatnot, gradually introduced
since RPM 4.6.0. All that is what really makes up RPM 6.0, and is
available on v6 out of the gate.
Over 300 people, representing a multitude of distributions, companies
and other organizations have contributed code, and countless more have
provided valuable input in the form of ideas and bug reports. Thank you
all, RPM would not be where it is without your contributions!
This is also a nice way to celebrate the oncoming 30th birthday of RPM,
measuring from commit history.
For download information and full release notes, including detailed
compatibility information, are available at
https://rpm.org/releases/6.0.0
The differences to 6.0-beta2 are avaible at
https://rpm.org/releases/5.99.99
On behalf of the rpm-team,
- Panu -
More information about the Rpm-announce
mailing list