[Rpm-maint] [rpm-software-management/rpm] The road to RPM 6.0 (Discussion #3602)

[Panu Matilainen]

As we're closing in on the RPM release season, many people will no doubt be wondering what will this huge version bump to 6.0 mean to them. I try to clarify the situation in this post, both from the user and distro maker point of views.

First and foremost, lets make one thing clear: we want to see RPM 6.x widely adopted in new versions of RPM based distros. Adopting the new v6 format is totally secondary and something distros are free to manage as they see fit. While v6 packages can be read and even installed with any remotely recent rpm 4.x versions, 3rd party software might make assumptions that just do not hold anymore and thus, can and will break. As such breakage may involve things like complicated build-pipelines that one just does not fix overnight, we do not want to rush anybody to a new format.

That's why RPM 6.0 produces bit-per-bit compatible v4 packages and is fully compatible with them, and that's how we expect general purpose distros to use it initially. It may well even ship with v4 as the default output format, if only because we don't want to see people hang back in unmaintained 4.x releases just because of some scary format change.

The big case behind 6.0 is bringing RPM's security story to this millenium. The package format is just one, if important, part of that. The format is also practically invisible to the regular user. The biggest end-user visible changes in 6.0 are:
- Enforcing signature checking is on by default
- OpenPGP keys are identified by their full fingerprint wherever available, and full key ID otherwise

Enforced signature checking means that locally built packages are no longer installable just like that. Which seems annoying for the users who commonly do so. Which is why we're adding support for automatic signing at build time. This is not some high security signing mechanism for distributing packages, the intended use-case is making locally built package usage reasonably convenient without sacrificing overall security.

As for the v6 format itself: you should consider 6.0 alpha the first sneak-peek at it, and not 100% final just yet. The target audience of v6 packages produced by 6.0 alpha is developers of other software in the rpm-ecosystem looking to test if their software works with the new format. We promise not to make "physically" incompatible changes (such as remove tags or introduce incompatible new tag types etc) after the alpha release, but some details may still change between alpha and beta. After the beta release, the format will only change to fix bugs. The bottom line: we encourage people to test the new v6 format in all the ways and places they can think of, but *please do not distribute v6 packages built with pre-release versions of 6.0*. 

What about My Pony? There aren't any, really. Except maybe the ability to update OpenPGP keys via `rpmkeys --import`. This sorely missed feature is now finally supported. Missing ponies also means there aren't *any* build-breaking changes like 4.20 had. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/3602
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/3602 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250226/fdd17b0e/attachment.htm>