RPM, the powerful package management system widely used in the Linux ecosystem, has released its latest version, 4.20.
For those unfamiliar, it is responsible for packaging, installing, and managing software in many Linux distributions, primarily being used in Red Hat Enterprise Linux and its derivatives such as Alma, Rocky, and Oracle, and, of course, in Fedora and CentOS Stream.
Key Highlights of RPM 4.20
One of the biggest highlights of RPM 4.20 is the addition of declarative build system support. This means that developers can now specify which build system (like Autotools or CMake) is being used for their software, and RPM will automatically prepare, compile, and install the sources according to the best practices of that build system.
What are the benefits? In simple words, this feature reduces redundant boilerplate and allows software packagers to tweak these processes to align with distribution preferences.
Additionally, RPM 4.20 introduces dynamic spec file improvements. These files describe how to build RPM packages, and in this version, they can now include new directives that don’t impact the actual build process, allowing for greater modularity and maintainability.
Also, each package now has an RPM-controlled per-build directory, which helps organize builds and prevents clashes between different packages during the build process.
Another interesting feature is the new unshare plugin, designed to provide scriptlet isolation. We just specify that scriptlets are commands executed before or after installing a package. With the unshare plugin, these commands can be isolated, preventing them from accidentally accessing the filesystem or network, thereby improving security and consistency.
In terms of usability, RPM 4.20 makes several improvements. The rpmkeys command, used for managing cryptographic keys, now has options to list and delete keys, making it easier for users to manage their keyrings. Moreover, rpmsign can now use ECDSA keys to sign packages, adding a new level of cryptographic flexibility.
For those who prefer modern formats, RPM now supports JSON-formatted output for queries, a more readable alternative to XML, and can facilitate integration with other tools that consume RPM data.
Another change worth noting is that the rpm2archive utility, used to convert RPMs to archive formats, now supports the CPIO (Copy In Copy Out) file format, enhancing compatibility with legacy systems. The old rpm2cpio command is now simply a symlink to this updated utility.
For developers, the public plugin API is now officially available, opening up new opportunities for extending RPM’s capabilities. The addition of a new multi-file protocol also aims to significantly speed up dependency generationโa crucial feature that all Linux users will warmly welcome.
The release includes improvements geared towards achieving better support for reproducible builds, an essential aspect of modern software development that ensures builds can be recreated consistently regardless of when or where they occur.
In light of this, RPM now provides a new macro, %build_mtime_policy, which can be configured to clamp timestamps either to the source date epoch or to build time, improving consistency across builds.
Lastly, several bug fixes and quality-of-life improvements enhance reliability and performance. For instance, RPM no longer attempts to process certain non-executable files like Ruby, Python, or JavaScript files during stripping, making it faster and more efficient. The sanitization of spec comments and indentation syntax has also been improved, ensuring cleaner and more readable specifications.
When will users be able to take advantage of this enhanced package manager? The good news is that FESCo has approvedย RPM 4.20 for inclusion in the upcoming Fedora 41 release, scheduled for early November. So, just another month of patience.
The release notes provide more in-depth technical information on all RPM 4.20 Linux package manager changes. Happy packaging!
