Fedora 42 isn’t out yet—it’s scheduled to launch in just over a month, around mid-April. However, developers are already looking ahead and laying out plans for the 43 release, which is expected to arrive later this year, likely in late October or early November.
In light of this, Fedora is eyeing a major transition to RPM 6 (a package management system used in RHEL-based Linux distros) in its upcoming version 43. For reference, Fedora 41 currently uses RPM 4.20, which won’t change in Fedora 42.
Although this proposal remains subject to approval by the Fedora Engineering Steering Committee (FESCo), a key governing body within the Fedora Project that oversees various technical decisions related to the distro’s development, it’s already on the table and has everything it needs to become a reality.
What do users get out of this? One word – security. RPM 6 comes with signature checking turned on by default, ensuring that only positively verified packages can be installed. In other words, users will no longer be able to install unsigned or tampered packages without explicitly choosing to override the system’s security measures.
While power users can still bypass checks with command-line options—think --nosignature—and tweak certain settings to keep their existing workflows, the RPM maintainers encourage people to adopt more secure practices, such as importing trusted keys or using automated signing.
Moreover, RPM 6 aims to introduce a streamlined approach to key management. Instead of relying on collision-prone short key IDs, it will reference OpenPGP keys by fingerprint or full key ID. This adjustment should alleviate the nagging issue of key collisions that has occasionally plagued short IDs.
Another big deal is that RPM 6 sets the stage for future support of the v6 package format (support for the v3 format will be dropped). While Fedora 43 will remain on v4 package generation—so everyday users need not worry about immediate format changes—early adopters and third-party developers will be able to experiment with the new format.
Under the hood, RPM 6 also opens the door to alternative signing mechanisms, including Sequoia-sq, which can serve as a drop-in replacement for GnuPG.
So, what does all this mean for users? Day-to-day package installs and updates in Fedora 43 should mostly proceed as usual, with added peace of mind that security checks are being enforced from the get-go.
It’s also worth mentioning that, according to the roadmap, RPM 6 is still in development, with the first stable release of RPM 6.0 expected in Q3 2025. That doesn’t leave Fedora developers much time to integrate it into the final stable Fedora 43 release.
However, if unforeseen obstacles emerge, the Fedora team has a contingency plan: reverting to RPM 4.20 by the beta freeze. But this fallback seems unlikely given the thorough testing that typically accompanies RPM releases—plus the constant feedback loop of Fedora developers and community members.
For more information, see the proposal itself.
