From mdomonko at redhat.com Fri Apr 5 16:03:21 2024 From: mdomonko at redhat.com (Michal Domonkos) Date: Fri, 5 Apr 2024 18:03:21 +0200 Subject: RPM 4.20.0 ALPHA released! Message-ID: Spring is here again and with it, a preview of what's coming in the next major RPM update later this year, version 4.20, in the form of an ALPHA pre-release. As per usual, a number of new features are in the works, most of which have already landed in this pre-release and are ready for a test drive. We've also (finally!) made the plugin API public, and removed the insecure legacy OpenPGP parser (replaced by Sequoia in 4.19). It took quite a bit of pondering and back-and-forth to hash out a feasible plan where RPM can still be bootstrapped without either the internal OpenPGP parser or Rust entering the picture, but here we go. If you're a distro builder or just interested in the details, see the updated INSTALL file or the respective pull request [4] for some more background information. You may also want to check out the Compatibility notes section at the bottom of the release page linked below, in case your package(s) are affected. Lastly, here's a quick summary of the changes: * Declarative buildsystem support [1] * A new RPM-controlled per-build directory * Support for SPEC-local file attributes and generators [2] * Support for sysusers.d(5) group membership lines * New prepend and append modes for build scriptlets [3] * Python bindings have been ported to the stable ABI * Plugin API is now public * Increased isolation of install scriptlets on Linux via a new plugin * File trigger scripts now also receive package count arguments * Perl dependency generators have been split out * Internal OpenPGP parser has been removed * Various other improvements and fixes For download information and a full (draft) changelog, visit: https://rpm.org/wiki/Releases/4.20.0 On behalf of the RPM team, Michal [1] https://rpm-software-management.github.io/rpm/manual/buildsystem.html [2] https://rpm-software-management.github.io/rpm/manual/dependency_generators.html#using-file-attributes-in-their-own-package [3] https://rpm-software-management.github.io/rpm/manual/spec.html#build-scriptlets [4] https://github.com/rpm-software-management/rpm/pull/2984 From nmanthey at amazon.de Wed Apr 17 08:32:23 2024 From: nmanthey at amazon.de (Manthey, Norbert) Date: Wed, 17 Apr 2024 08:32:23 +0000 Subject: Check for build file modifications after %check Message-ID: Dear all, due to the recent xz-utils supply chain problem, we looked into modifying the rpmbuild tool to fail the build if relevant files are modified during the '%check' phase. We found a similar request in github: https://github.com/rpm-software-management/rpm/issues/3010 Is there any discussion about what approach to follow, and how to close the identified gap? Instead of jailing the process, we wondered whether hashing and validating the existing files might be a viable, and more easy to provide, building block. We provided a very simple and incomplete proof of concept, which works for small packages: https://github.com/rpm-software-management/rpm/pull/3039 Best, Norbert Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879